The licensee reports are available (in German) on the web-pages of the utilities. The links are provided in the following table:

Annex 1 Summaries of the licensee reports In this Annex 1 the summaries of all licensee reports are compiled together, utility by utility. A common d...

Author: Daniela Sullivan

9 downloads 1 Views 1MB Size

Report

Download PDF

Recommend Documents

All articles are available in English and German, as indicated in the table of contents below

In addition to language classes, the following courses are available

The components of the project are the following:

I. Eligibility Organizations are eligible to enter a float in the Homecoming Parade provided the following requirements are met:

For resistance of the products to the materials listed in the attached suitability table, the following criteria are applied:

When available, links to watch specific races are provided below

In the following we are particularly elaborating the deviation of the position of lower canines

There are no international airports in Trento. The closest airports are the following:

Registra on forms are available in the ves bule of the Church

The following table shows all the available subsystem parameters (DSNZPARMs)

According to the Administrative regulation in the field of veterinary the following administrative procedures are established:

The functions of the Ministry are detailed in the following paragraphs:

The following are key findings of the review:

Who are the poor in The Bahamas?

These opportunities are outlined in the following table depending on sponsorship level: Level Contribution Features

The contents of this list are not intended to be comprehensive an many resources are available, such as the following:

The following recommendations are based on what the course tutors use in their practices

The following Labels illustrate some of the basic Label layouts available in Genesis R&D. There are hundreds of

Types In Combined Type Needle Roller Bearings, the types shown in Table 1 are available

The following are J Code requirements

The following university courses in mathematics are announced

Mail Privileges. A. The following mail privileges are in effect:

Density. These methods are described in the following pages

Tiger Foam. The 3 formulas available are:

Annex 1

Summaries of the licensee reports In this Annex 1 the summaries of all licensee reports are compiled together, utility by utility. A common description of the meaning of terms and the basic design concept is described within the introduction. The licensee reports are available (in German) on the web-pages of the utilities. The links are provided in the following table: Table A-1: Name of unit

Links to the web-pages with licensee reports Link to web-pages with site specific stress test reports

Biblis A/B

http://www.rwe.com/web/cms/mediablob/de/1241412/data/16492/1/rwe-powerag/standorte/kkw-biblis/Ergebnisse-des-EU-Stresstests.pdf

Brokdorf

http://www.eon.com/de/downloads/KBR_Endbericht_Langversion.pdf

Brunsbüttel Emsland

http://www.vattenfall.de/de/file/KKB_Stresstestbericht.pdf_19581321.pdf http://www.rwe.com/web/cms/mediablob/de/1241416/data/16646/1/rwe-powerag/standorte/kkw-emsland/Ergebnisse-des-EU-Stresstests.pdf

Grafenrheinfeld

http://www.eon.com/de/downloads/KKG_Endbericht_Langversion.pdf

Grohnde

http://www.eon.com/de/downloads/KWG_Endbericht_Langversion.pdf

Gundremmingen B/C

http://www.rwe.com/web/cms/mediablob/de/1241422/data/17148/1/rwe-powerag/standorte/kkw-gundremmingen/Ergebnisse-des-EU-Stresstests.pdf

Isar 1

http://www.eon.com/de/downloads/KKI_1_Endbercht_Langversion.pdf

Isar 2

http://www.eon.com/de/downloads/KKI_2_Endbercht_Langversion.pdf

Krümmel

http://www.vattenfall.de/de/file/KKK_Stresstestbericht.pdf_19595413.pdf

Neckarwestheim I/II

http://www.enbw.com/content/de/der_konzern/enbw_gesellschaften/enbw_kernkraft /sicherheit/stresstest_neckarwestheim/hauptteil_gkn_veroeffentlichung.pdf

Philippsburg 1/2

http://www.enbw.com/content/de/der_konzern/enbw_gesellschaften/enbw_kernkraft /sicherheit/stresstest_philippsburg/Hauptteil_KKP_Veroeffentlichung.pdf

Unterweser

http://www.eon.com/de/downloads/KKU_Endbericht_Langversion.pdf

Obrigheim

http://www.enbw.com/content/de/der_konzern/enbw_gesellschaften/enbw_kernkraft /sicherheit/stresstest_obrigheim/Hauptteil_KWO_Ver__ffentlichung.pdf

Annex 1

Content 1 1.1 1.1.1 1.1.2 1.2 1.2.1 1.2.2 1.2.3 1.2.4

Introduction and general aspects ........................................................... 1 Meaning of Terms ...................................................................................... 2 Meaning of “cliff-edge effect” ..................................................................... 2 Meaning of „robustness“ ............................................................................ 3 Basic Design concept of German nuclear power plants ............................. 4 Defence-in-depth safety concept and protection goals ............................... 5 Defence in depth levels.............................................................................. 5 Consequences of the basic design concept ............................................... 7 Further developments in Germany ............................................................. 7

2

KBR / Brokdorf ....................................................................................... 10

3

KKG / Grafenrheinfeld ........................................................................... 21

4

KKI 1 / Isar 1 ........................................................................................... 32

5

KKI 2 / Isar 2 ........................................................................................... 43

6

KKU / Unterweser .................................................................................. 54

7

KWG / Grohnde ...................................................................................... 65

8

KWO / Obrigheim ................................................................................... 76

9

GKN I / Neckarwestheim 1 ..................................................................... 88

10

GKN II / Neckarwestheim 2 .................................................................. 106

11

KKP-1 / Philippsburg 1 ........................................................................ 122

12

KKP-2 / Philippsburg 2 ........................................................................ 138

13

KRB II / Gundremmingen Unit B and C .............................................. 155

14

KKE / Emsland ..................................................................................... 168

15

KWB-A/B / Biblis Unit A and B ............................................................ 176

16

KKB / Brunsbüttel ................................................................................ 185

17

KKK / Krümmel .................................................................................... 191

Annex 1

1

Introduction and general aspects

In response to the accident at the Fukushima Daiichi nuclear power plant in Japan, the European Council declared on 24 and 25 March that the safety of all nuclear power plants in the EU should be reviewed on the basis of a comprehensive and transparent risk assessment (“stress tests”). The European Nuclear Safety Regulatory Group (ENSREG) and the European Commission were called upon to work out the scope and modalities of these tests within an agreed framework, and with the full participation of the member states, in light of the knowledge gained from the accident in Japan. A letter from the German Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU), dated 31 May 2011 (ref. RS I 5 – 18033/22.03) and containing the specifications for “stress tests” developed through this process, was brought to the attention of German nuclear power plant operators through the competent Länder authorities. In this letter we were asked to submit a progress report by 15 August 2011 and a final report by 31 October 2011based on the given specifications. The progress report was submitted to the Ministry for Justice, Equality and Integration (MJGI) punctually on 15 August 2011. In compliance with the ENSREG requirements, the present final report contains information on plant design, statements concerning design margins, plant robustness beyond design, a discussion of so-called “cliff edge” effects, conclusions about the adequacy of safety measures and potential for further improvements. Whenever useful, the relevant operating phases are specified in the separate sections along with any other relevant boundary conditions. For those parts of the assessment that go beyond the scope of plant design, the information provided is based partly on engineering judgment. This conforms in particular to the methodology of ENSREG (“engineering judgement”, see ENSREG document Annex I, EU “stress test” specifications). The final report is structured according to the outline specified by ENSREG at its meeting on 5 September 2011 and was supplemented in the beginning with a summary of the study results, which is arranged according to subject. The content of the Chapter 7 (conclusions) recommended by ENSREG is thereby covered in full detail by this summary. To support the exchange of views in Europe and the peer review process in connection with the European safety review, we are also providing this summary in English. Since some of the terms used by ENSREG are not uniformly defined, we have explained the underlying meaning of these terms as used in answer to the related questions in the summary. It should be noted in general that the European safety review has a very strong focus on beyond design basis issues in light of the events in Japan. This focus is appropriate and conducive for the assessment of plant robustness beyond the design basis; nevertheless, for purposes of the multilevel defence-in-depth concept, the technical conception of the plants (e.g., redundancy and diversity of safety functions or precautions), already considered in their design, must be in the assessment focus as well. We have therefore addressed this aspect, which is of elementary importance for an understanding of the plant’s robustness, in a section of the summary devoted to the basic design concept. The operators are interested in a transparent, uniform, and objective procedure for the European stress tests throughout Europe. In close cooperation with the other European operators, the German operators have constructively, openly, and actively supported A1-1

the European safety review process from the beginning. National variations in, for example, the scope of assessment or specific aspects on which not all participating countries agree should be dealt with outside the European safety review to ensure that reports are comparable. The focus for all participants should be on the “lessons learned” with respect to the robustness of the plants and their potential for improvement. For the German operators it is therefore a matter of the highest priority that the results of our operator analyses regarding the robustness of our plants is clearly, objectively, and transparently recognised in the national report, in the subsequent peer review process and, finally, in the overall results of the European safety review or that they will be included within this European framework, respectively.

1.1

Meaning of Terms

1.1.1

Meaning of “cliff-edge effect”

To ensure that there is a uniform understanding of the term “cliff edge effect” with international acceptance, the German operators consulted IAEA documents. The German operators have been guided by the explanations in IAEA Safety Standard SSG-2, “Deterministic Safety Analysis for Nuclear Power Plants” (IAEA, Vienna, 2009), which states, in an explanatory footnote in section 3.11, that “A cliff edge effect in a nuclear power plant is an instance of severely abnormal plant behaviour caused by an abrupt transition from one plant status to another following a small deviation in a plant parameter, and thus a sudden large variation in plant conditions in response to a small variation in an input.” In IAEA Safety Guide NS-G-1.6, “Seismic Design and Qualification for Nuclear Power Plants” (IAEA, Vienna, 2003), the term is used in section 2.39, likewise in a deterministic sense in connection with beyond design basis seismic events, in a way similar to its use in SSG-2. Section 9.10 of the aforementioned IAEA Safety Standard SSG-2 contains comments on the risk-relevance of an abrupt transition in a parameter. These comment points to the rapid increase in the source term of radioactive materials in accident sequences, which, because of its presumably low frequency, is not considered in the design process yet remains relevant in so far as the risk of release is concerned: “… the design should ensure that there is not a rapid increase in the source term for those faults that are considered that have frequencies just beyond those for the design basis.This is sometimes referred to as a cliff edge effect […].It should be part of the regulatory requirements to demonstrate that such an effect does not occur”. Hence the “cliff edge effect” is understood to be a slight exceeding of the design basis that causes a sudden or very rapid loss of vital safety functions or protection goals, thereby causing a disproportionate increase in the potential for the release of radioactivity.

A1-2

If further measures are provided for such cases (such as emergency measures) that prevent the loss of vital safety functions or protection goals, this is not a “cliff edge effect” according to our understanding of the term.

1.1.2

Meaning of „robustness“

The overall “robustness” of a plant depends on its robustness both in and beyond the design range: Robustness of the design basis Robustness in the control of design basis events is characterised by rigorous application of design principles. Mention should be made in particular of diversity, redundancy, structural protection, and spatial separation as design principles that are applied to achieve the required effectiveness and reliability of important safety related systems, structures, and components in controlling design basis events. Also included is the use of deterministic postulates such as, for example, the postulation of failures (single failure concept), the assumption of maintenance, or exclusion of the necessity of manual actions within the first 30 minutes. Further, precautionary measures to preclude events or to lessen the effects of failures are applied that further increase robustness. To determine the rated values for the design, conservative approaches are defined in the design codes. These include both the frequency of occurrence of the postulated events (e.g., exceedance probabilities according to the German Nuclear Safety Standards Commission (KTA) of 10-5/a for earthquakes) and the methods used to determine the resulting effects on systems, structures and components (for example, through enveloping or comparative values). As a result of these measures, the control of design basis events is ensured – even when one allows for imponderables – so that the plant design can be described as robust. The German concept for avoiding the loss of offsite power supply (standby offsite power connections, a minimum of four emergency diesels) may be mentioned as an example of a conservative and robust design. Both the availability of standby offsite power connections and the equipment with emergency diesels result in a robust supply of electrical energy to power-consuming devices that are important for safety. Robustness beyond the design basis Robustness in beyond design basis events is established on the basis of several aspects: Design margins implied in the rating of design basis events: As a rule, components are not designed precisely to the values called for in the design code (rated values) but with the use of safety allowances (design margins). This approach is already an essential element for avoiding cliff edge effects, as required by IAEA SSG-2. A limited excess above the rated values is covered by these design margins and therefore cannot result in failure of the components.

A1-3

Additional margins: Beyond the margins chosen for the design, components have further margins, as their technical specifications generally do not represent their failure thresholds. Additional margins are inherent in their material characteristics, which reflect the manufacturing requirements for the materials used. Consistent use of qualified materials and manufacturing processes ensures that a margin exists between the specified material property values and the actual failure thresholds. Margins resulting from the applied verification procedures: Like the method for determining the rated values and the design method, the methods used to verify the effectiveness of existing systems also have substantial conservatism. It is especially important at the same time that values and resulting loads are, for the most part, comprehensive. Uncertainties that may result from modelling or the use of correlations are considered conservatively. Thus the verification methodology itself results in margins in relation to event sequences that may realistically be expected (for example, from a realistic point of view, 4 x 50% systems can be rated to some extent as 4 x 100% systems). Technical precautions: In connection with emergency measures, additional technical precautions are taken to achieve control or lessening of the effects of beyond design basis events. An example of such “additional margins” is the connection of mobile pumps to ensure heat removal. Extensive analyses of the German plants that have considered the impact of aircraft crashes and blast waves show that additional reserve margins exist beyond design. For purposes of the EU stress test, both robustness within the design basis and robustness beyond the design basis must be studied.

1.2

Basic Design concept of German nuclear power plants

As required by the ENSREG specifications, the precautionary measures in plant design against the postulated scenarios must be described and the robustness of the plant beyond the design basis assessed. To that end, the basic design concept on which the German nuclear power plants are based must be considered first, as the safety concept of the plants operated in Germany has some special characteristics that are important for a proper assessment of robustness and that therefore should be summarised. According to the intent of the German Atomic Energy Act (Atomgesetz) and related decisions of the German Federal Constitutional Court, the principle of the best possible precaution against damage applies in nuclear engineering. This principle requires that plants be operated only if their safety has been proved beyond doubt and a sufficient safety margin from all conceivable danger thresholds is maintained. Accordingly, even extremely improbable events must in principle be postulated and controlled and may be disregarded only if the event is – on the basis of practical rationality – deemed impossible. The nuclear power plants in Germany are designed and operated so that, either during specified normal operations or in the event of an accident, the nuclear reactor can be safely shut down and kept in safe state, the residual heat can be removed, the conA1-4

finement of radioactive materials is ensured, and the exposure of plant personnel and the general population to radiation is kept as low as technically possible.

1.2.1

Defence-in-depth safety concept and protection goals

The main objective for the protection of persons and the environment is to secure confinement of the radioactive materials resulting from operation of the nuclear power plant. As an international standard (IAEA safety requirements), a multilevel safety concept (defence-in-depth concept) with the following features was implemented for that purpose in the design of German nuclear power plants: 

Isolation of the radioactive materials from the environment by means of a system of multiple enclosing barriers (barrier concept),



A system of measures on multiple levels (defence-in-depth levels) that ensures that the integrity and function of the barriers is adequate,



Technical solutions for safety systems that, even in the event of postulated malfunctions (technical failure or human error), ensure the protection of the barriers (design principles for safety systems).

To ensure that the confinement of radioactive materials is effective even in accidents, the barriers must be adequately protected against damage. The fundamental safety functions for reactor safety are: 

Confinement of radioactive materials: Confinement of the radioactive materials contained in the fuel elements must be secured by means of barriers.



Control of reactivity: The reactor must always be limited in its output and reliably capable of being shut down to prevent excessive heat generation that cannot be removed by the available cooling systems.



Cooling of fuel elements: It must be possible to safely remove the heat that results from radioactive decay even after the reactor has been shut down, so that the internal barriers are not endangered by overheating.

1.2.2

Defence in depth levels

Compliance with the fundamental safety functions, and with it the effectiveness of the barrier system, is ensured by means of multiple levels of measures assigned to “defence in depth levels”. The basic idea of the defence in depth (DID) levels consists in the following: 

Measures are taken on one DID level to avoid failures and breakdowns as much as possible.



Failures are nevertheless assumed (“postulated”) and corrective actions are provided at the next DID level to compensate for or control the postulated failures.

On this basis, four defence in depth levels for plant safety have been defined:

A1-5

Defence in depth level 1: Avoidance of deviations and accidents through a far-reaching design concept with equipment of high and monitored quality and with certified and regularly trained personnel (normal operation). Normal operation without deviations is ensured by conservative design and comprehensive quality assurance, including the use of high-quality components and plant items (optimal design and manufacturing processes along with special materials and extensive tests as well as in-service inspections through the entire life of the components and of the plant in general), integration of high safety margins into overall planning, a regulated mode of operation, and the use of qualified operating personnel. Defence in depth level 2: Control of deviations from normal operation that are postulated anyway and avoidance of accidents through limiting measures (abnormal operation). Fault alarms and limiting systems are present so that operational deviations beyond the control range usual for normal operation can be detected and controlled. If certain thresholds are exceeded, a correction is made automatically so that a progression into accident conditions is avoided and the power plant remains within the limits of its operational design. Light water reactors have in addition self-stabilising operating characteristics. Defence in depth level 3: Control of accidents that are postulated to occur anyway, by means of safety systems specially engineered and designed for reliable accident control. This includes, in particular, designing the equipment and components needed to provide the fundamental safety functions for compliance with the protection goals to withstand naturally caused and man-made events (accident control). If the precautions at the preceding defence in depth levels are not effective, the result may be an accident, which the plant controls with specially designed safety systems. A large number of conservatively covered event sequences referred to as “design basis accidents” are used as the basis for dimensioning and designing these safety systems. In the event of the design basis accidents specified for German nuclear power plants, the reactor protection system, together with the key safety systems, guarantees that the reactor is shut down, residual heat is removed, and the radioactive inventory is confined. The basic design concept, with its principles of redundancy, diversity, physical separation of redundant sub-systems, and safety-oriented system behaviour in the event that sub-systems or parts of the plant malfunction, ensures that the safety systems necessary to provide the fundamental safety functions for compliance with the protection goals remain available. The particularly consistent application of the mentioned principles in German nuclear power plants contributes substantially to the robustness of our plants. Defence in depth level 4: Prevention and mitigation of the effects of extremely rare conditions (risk minimisation) against which the plant must be designed (defence level 4a) or of conditions beyond the design basis (defence levels 4b and 4c). In the EU stress tests – irrespective of the extensive precautions at the preceding defence in depth levels and frequency of occurrence – events are postulated that must be

A1-6

placed at defence in depth level 4 so that the effectiveness of emergency measures beyond the existing robust design can be studied. For events with an assumed failure of protective and safety equipment, additional emergency measures are provided. The aim of these measures is to prevent damage to the core (mainly through measures to ensure adequate core cooling) and, in the event this is unsuccessful, to limit as much as possible the release of radioactive materials into the environment (for example ensuring containment integrity through filtered pressure relief). The result of this multiple layering of measures to maintain the barriers is that failures at one level can be contained in principle at the next DID level. In this sense, this defence-in-depth safety concept is a “fault-tolerant safety concept” that, as consistently implemented in Germany, contributes substantially to the robustness of our plants.

1.2.3

Consequences of the basic design concept

The assessment of the robustness of the German nuclear power plants, and accordingly of their capabilities for coping with situations beyond the design basis, must take into account that due to the basic design concept the German plants show a considerably lower frequency of events exceeding the plant’s design basis. As the German Reactor Safety Commission (RSK) states in its comment of 16 May 2011, for example, the consequences of a tsunami at the Fukushima Daiichi site obviously received inadequate consideration when a decision was made regarding the protection required for units 1 to 4. Given the tsunamis that had already occurred in the Pacific region and the frequency of occurrence to be deduced from them, it should have been expected that a tidal wave might occur that would exceed the design basis of the Fukushima nuclear power plant. Knowledge of this sort would have been considered in licensing and/or supervising process in Germany and would have resulted in associated requirements for the plants. Even this naturally-caused impact upon the site would therefore have been placed within the design basis range and would not have produced harsh consequences if it occurred. In light of this, the assessment of the robustness of the German nuclear power plants must include adequate consideration of the basic design concept before margins in the range beyond the design basis are assessed.

1.2.4

Further developments in Germany

The in-depth development of the safety concept in Germany since the beginning of the 1970s is characterised by an approach that may be expressed as follows: Despite the potential ability to control at the next defence level events that lead to failures, the attempt should be made to avoid them or to control them as early as possible at the multiple defence in depth levels; i.e. the following principal prevails wherever possible: avoid damage instead of mitigating damage which has occurred.

A1-7

This has resulted in applications of the defence-in-depth safety concept that minimise the probability of serious malfunctions and contribute considerably to the robustness of the nuclear power plants in Germany. Although events at defence in depth levels 1 and 2 (normal operation and abnormal operation) are not relevant to the studies associated with the EU stress test, it should be noted that measures implemented at those levels improve deviation control and thereby result in more effective accident avoidance (and greater availability). A substantial contribution to robustness is made by, for example, the leak-before-break concept, the integrity concept for steam generator tubes (for pressurised water reactors), in-service inspection and maintenance or continuous monitoring of safety relevant control valve actuators. Something that should be emphasised in particular is the additional level between operational instrumentation and control system and the reactor protection system: that of the limitation system. This is provided to initiate corrective actions, in the event of deviations from normal operation, before the reactor protection system limits are reached. Actions by the limiting system have a higher priority than control system and manual actions. Limitation has an accident-preventing effect so that operational malfunctions do not escalate to accidents. Below, two aspects that are relevant to an assessment of the robustness of existing safety systems for accident control (defence levels 3 and 4a) are explained in greater depth, as they are of importance for the events postulated in the EU stress test. 1. Protection and optimisation of safety systems In accordance with the concept of multiple levels of measures, functional separation of operational systems and safety systems has been consistently implemented. This has made it easier 

to align the safety systems more specifically to accident control applications and to optimise them for accident control. The safety system is controlled through the multi-train (usually four-train) reactor protection system, which ensures that the operating crew has at least 30 minutes before manual actions must be taken;



to concentrate the safety-relevant systems in buildings that are especially protected and in addition are uncoupled from other systems areas that are not required for accident control and in which secondary damage that interferes with their function may occur in the event of accidents.

In this way, functional impairment of safety systems as a result of potential secondary damage in accidents becomes less likely. 2. Design against internal events potentially effecting more than one redundant system The concept for controlling failures across active safety systems consists mainly of spatial separation of redundant sub-systems and associated structural protection. Internal events such as fire, internal flooding, or mechanical impacts (such as, for example, jet forces, projectiles) therefore remain generally limited to one redundancy. The

A1-8

safety systems typically have a four-train design (4 x 50%; the design for the majority of postulated scenarios is as much as 4 x 100%). Apart from these protective measures, which concern the safety systems, there are other measures that prevent or limit events with a potential for effecting more than one redundant system. These are mainly passive measures that are realised through building design (for example design of all safety-relevant buildings for design basis earthquakes). There are, finally, special active systems that can be used to avoid and control events with a potential for effecting more than one redundant system (for example fire detection and fire suppression systems). Events with a potential for effecting more than one redundant system therefore do not result in the loss of a safety function even in the event of a postulated, simultaneously occurring single failure. Since the late 1980s, further measures and systems have been developed with which effects of severe events can be minimised, e.g. cooling of the reactor core can be restored, even after the hypothetical loss of an entire safety system or of multiple systems that perform a safety function together (defence in depth levels 4b and 4c). These include preventive measures for restoring the power supply and heat removal, including the use of mobile systems located on site, to avoid serious damage to the core or to fuel elements in the spent fuel pool. Furthermore, the following mitigative measures have been planned for a core meltdown postulated to occur in spite of all other measures taken: 

Installation of passive hydrogen recombiners within the reactor containment of pressurised water reactors. They are able to remove enough hydrogen gas generated in a core damage scenario that hydrogen explosions, and the hazard they pose to the reactor containment, can be avoided. In the case of boiling water reactors, the same objective has been achieved through inertisation, i.e. by means of an oxygen-free atmosphere in the reactor containment.



Installation of a filtered venting system for the reactor containment through which gases can be released from the reactor containment so that failure of the reactor containment from excessive pressure is prevented while as much of the radioactive material as possible is kept confined or retained.

In summary, the nuclear power plants in operation in Germany, by virtue of the extensive protection already inherent in the design of the safety systems, are able to control very unlikely events without resorting to emergency measures. With the emergency measures that are available in addition, even extremely unlikely events can be controlled without significant impact to the environment.

A1-9

Annex 1

2

KBR / Brokdorf

Brief description of the nuclear power plant Brokdorf The nuclear power plant "Brokdorf" is a single unit power station and is located at eastern (right) shore of the Elbe river at river kilometre 682,5 in the borough of Brokdorf, district Steinburg (district town Itzehoe) in the federal state of Schleswig-Holstein. The nuclear power plant is a before KONVOI-series (Vor-Konvoi) pressurised water reactor (PWR) manufactured by KWU (Kraftwerk Union, today AREVA NP) featuring a reactor core of 193 fuel elements. It is a 4-loop plant comprising four steam generators, four lines of safety systems kept entirely separate (i.e. there are four trains for emergency and residual heat removal, four emergency diesel generators, etc.), and four emergency feed power diesels(et al. for controlling external impacts). Thermal reactor capacity amounts to 3900 MW that is fed to one high-pressure and three low-pressure turbines to generate a gross electric power output of 1480 MW (net 1410 MW). The plant is cooled by the river Elbe. The reactor building houses all major safety-related components and is made of reinforced concrete (>> 1 m thick). Inside the reactor building, there is the full-pressure steel containment with walls several centimetres thick encompassing the primary circuit (consisting of the reactor pressure vessel, the pipes connected to it, the primary coolant pumps, etc.) with the steam generators and the (spent) fuel pool. The reactor produced its first self-sustaining chain reaction (first criticality) on 8 October 1986 and the nuclear power plant commenced commercial power operation on 22 December 1986. By 30 June 2011, it has generated about 275 billion kWh of electric energy (benchmark: the Federal Republic of Germany consumed approx. 538 billion kWh of electricity in 2010). Licensees of nuclear power plant "Brokdorf" are E.ON Kernkraft GmbH and the Kernkraftwerk Brokdorf GmbH & Co. oHG. The probabilistic safety analysis (PSA) so far performed for the periodic safety review (PSR) of KBR pursuant to BMU guidelines yields Level 1 PSA results (core damage frequency, CDF) clearly below the CDF target specified by IAEA for operational plants (< 1*10-4/a). Actual results are as low as those recommended for evolutionary power reactors (1*10-5/a); they also show how well-balanced the systems and plant engineering of KBR is. Level 2 PSA results (calculation of released activity and the associated frequency) show the very low frequency of major releases of fission products from KBR; the frequency of major releases is less than 1*10-9/a. Taken together, Level 1 and 2 PSA results show that KBR has a well-balanced safety concept and operates at a very high level of safety.

Earthquakes For the site an earthquake with an intensity of 5.5 EMS/MSKat a probability of exceedance of < 1*10-5 /a needs to be considered. With reference to KTA 2201.1, a ground response spectrum including the associated rigid body accelerations (peak ground acceleration) has been determined for the design intensity of 6EMS/MSK (see Fig. 1). A1-10

horizontal acceleration (m/s²)

10

1,21

1,01

1

0,38

0,38

0,08

0,1

0,01 0,1

1

10

100

frequency (Hz)

Fig.1

design spectrum (horizontal component)

A seismological survey provided the basis of determining the required seismological engineering parameters which were then examined by a seismology expert acting on behalf of the nuclear supervisory authority. In addition, many more verifications were made. All verifications showed that the applied ground response spectrum is correct. The design of components and structures with regard to seismic effects is a must for accomplishing the following protection goals: a) control of reactivity, b) cooling of fuel elements, c) confinement of radioactive materials, and d) limitation of radiation exposure. Thus, all safety-related buildings and components are designed to withstand the design earthquake. Therefore no damages to safety-related structures or components are expected in case of design earthquake. In the event of an earthquake, external power supply is postulated not to be available. Emergency power supply is therefore designed for the design earthquake and installed with a redundant back-up. Apart from the four emergency diesel generators (ordinary back-up AC power source – NSDA1), there are another four emergency feed power diesels (diverse AC power source – NSDA2). Due to the low intensity, a design earthquake can be assumed not to destroy the infrastructure. Employees and equipment will therefore have unhindered and undelayed access to the site. A1-11

The potential maximum physical seismic magnitude is expected not to seriously damage the core or the nuclear fuel. The nuclear power plant is designed for a probability of earthquake events of ≤1*10-5 /a and a probability of flooding events of ≤ 1*10-4 /a pursuant to KTA 2207. Moreover, plant design includes considerable margins and provides for the potentially combined effects of earthquake and flood. Earthquake PSAs prepared for German nuclear power plants similar to KBR show that damaging forces and mechanisms will not substantially increase the core damage frequency even if the earthquake intensity is greater than that of the design earthquake. The high level of robustness and high standards of design also ensure that measures were taken as early as at the planning and building stages as well as by later retrofitting during power plant operation. This is further ensured by the plant being designed to withstand other external effects such as an aircraft crash or an explosion shock wave. There are thus no plans for taking further measures.

Flooding The floodingdesign is based on KTA 2207. According to KTA 2207, the highest water level around the plant components and buildings to be protected must be determined. Permanent (structural) flood protection measures are in place to protect the actual plant against flooding. Design flood events require no temporary precautions. The documents submitted to obtain the first partial construction licence of 25 October 1976 showed the height of the dyke and the height above flood for safety-related building. Surveys determined the height of buildings above high tide level as 4.30 m above MSL and the target height of the dyke as 8.40 m above MSL. According to KTA 2207 as amended in 11/2004, the high tide level and a probability of exceedance of 10-4 /a are taken as the design water level referenced for designing the protective structure (dyke immediately in front of the plant site protecting the plant). The design water level assumed for on-site building structures and components is based on a failure of the neighbouring lengths of dyke under high tide level according to KTA 2207. (Note: As opposed to the KBR dyke, the neighbouring lengths of dyke are not designed to withstand the high tide level according to KTA 2207.) Several surveys determined the once in 10,000 years high tide. These surveys suggest that a height of 7.16 m above MSL will suffice to cover for the design flood along the protective structure and can be used for further investigations. With reference to a once in 10,000 years high tide of 7.16 m above MSL (design flood along the protective structure), considering the flooding model developed by Prof. Partenscky, and further assuming a failure of the dykes neighbouring the reinforced KBR dyke, the design water level around the plant components to be protected (i.e. onsite the plant premises) computes as 2.85 m above MSL. Considering the site altitude of 1.5 m above MSL, this will result in an on-site water level of 1.35 m. Assumed dyke failure events must distinguish between the dyke parts outside the plant premises and the fortified dyke along the plant site. Assuming that the neighbouring A1-12

(unfortified) dykes will fail, the ground will be flooded up to 2.85 m above MSL. The structural design of the buildings (4.30 m above MSL) thus leaves a margin of 1.45 m. The vital functions housed in the emergency feed building elevate to 2.15 m and are thus clearly above this margin. As opposed to the neighbouring dykes, the plant dyke is reinforced such that a failure of this length of dyke can be excluded. Protective functions in this section were improved by reinforcing the dyke's structure and making its waterside slope shallower. A potential dyke failure in this section was investigated nevertheless. Results showed that, even then, there is enough margin left to protect the vital functions inside the emergency feed building. This margin is somewhat enhanced by the building's waterproofing. A significant design margin is provided by the large difference between the anticipated design water level and the water level that the structural design is based upon. Furthermore, there is sufficient early warning time to take measures appropriate to safeguard against a flood in excess of the design water level. Plant design is thus robust enough to make the plant reliably survive a flood. Plant safety is further improved by four emergency feed power units designed to withstand earthquakes, aircraft crashes, explosion shock waves and flooding. These units are capable to dissipate the heat for 10 hours even if the control room and the substation building are lost. After that time, the emergency control room is available for properly shutting down the plant.

Extreme weather The design considers the following weather loads: 

extremely strong winds,



extremely high and low ambient temperatures (water and air),



extreme rainfall,



biological effects (polluting load),



lightning stroke,



low tide.

Conventional construction standards as well as nuclear regulations were considered. Furthermore, the design assumed much greater loads to be safeguarded against, including external effects such as earthquakes, high tides/floods, explosion shock waves or aircraft crashes. The design requirements for the safety-related buildings exceeded the extreme weather protection requirements by far. The design also takes into account the regulations provided for combinations of extreme weather conditions, specifically with regard to their causal interdependencies. Metrological instruments are monitoring the ambient conditions permanently. Automatic and administrative measures will be taken before the values attain the set points. In general, the positive results of extensive considerations of extreme weather conditions including their potential combination conclusively show that the plant is safe to reliably survive extreme weather events.

A1-13

Due to the available design margins, no other measures are required to increase plant safety.

Loss of power supply KBR has a tiered concept of automatically ensuring AC supply to operational and safety-related components, consisting of the main grid connection, the stand-by grid connection, the emergency power supply (ordinary back-up AC power source - NSDA1), and the emergency feed power supply (diverse AC power source – NSDA2). The different stages of the AC power supply allow to cover different failures of the AC grid. An additional third grid connection is available. Emergency power supply will be started if the main grid connection is lost and a load shed on houseload as well as the switch over to the stand-by grid is not successful. In that case, the emergency power supply is automatically activated to supply power to all safety-related components required for incident control and for sustaining the plant's safety goals. Emergency power supply is marked by its four redundant trains in line with the plant's redundancy concept. In case of a failure of all four emergency power diesels the emergency feed power system will be started automatically in all four trains. The emergency feed power supply system is able to back up the vital functions of the decay heat removal facilities. Pursuant to the applicable regulations, the technical equipment and the fuel at hand ensure that both emergency power supply and emergency feed power supply by the diesel generator units is assured to last for >72 hours. Providing greater amounts of fuel allows this time to be extended if light equipment is used within 72 h and if heavy-duty equipment is used within more than 72 h (acc. to ENSREG Specification). In the event of an assumed total failure of the installed AC power and emergency power/emergency feed power supplies, the battery-buffered redundant supply trains will supply power to the required I&C and necessary process components for at least 2 hours. At this stage, the available emergency procedures would initiate process orientated emergency actions to provide decay heat removal and to prevent core damage. A parallel means is to connect the third grid connection (buried) to try and restore the AC power supply. All of the above measures are preventive, that is to say, they are intended to retain the integrity of fuel elements, the primary cooling circuit and decay heat removal. In case a preventive measure is unavailable or fails, there are mitigative measures aimed at further controlling any potential damage. Considering all of the above measures arranged to ensure continuous operation on emergency power, to provide and maintain additional equipment in cases of an assumed failure of all emergency power supplies, to take emergency measures for uninterrupted decay heat removal, and to provide full mobility and transportation under serious failure modes, no other plant states can be identified that would require further and additional remedies.

A1-14

Some thought is given to the concept by using additional mobile diesel generators. In view of the amended Atomic Energy Act, all concepts and constraint assumptions are currently being reviewed.

Loss of primary heat sink A loss of the primary ultimate heat sink due to a postulated blockage of the main water inlets can be excluded. First because of the small water volume in comparison to the dimensions of the intake buildings and the cross-sectional areas and secondly because of the large distance between the two water intake positions. Furthermore, different flow-ways are connectable in order to keep the service water supply. In case of failures of emergency diesel power-backed components belonging to the residual heat removal chain, the decay heat will be dissipated by enabling the emergency residual heat removal chain. The two circuits of the emergency residual heat removal system are powered by the emergency feed power system which is protected against external effects. Possible failures concerning the water inflow and return or the secured service water supply, respectively, following an underwater pressure wave are handled according to the measures defined in the operating or emergency manual. If both the main cooling water and the service watersystems fail, the heat is discharged down the secondary side via the main steam relief station. First of all, the emergency feedwater system will be activated. After that, there are still the emergency procedures secondary and primary bleed and feed feasible. For feeding the steam generators mobile pumps can be used when necessary. Therefore the demineralised water can be taken from secured demineralised water storages, the demineralised water system, the drinking water supply system or the fire water system. Measures in non-power mode depend on the state of the plant and may be equivalent to power mode measures or those taken to cool the fuel pool. Time constraints on using alternative heat sinks depend on the amount of fuel and coolant at hand. The time slot can be extended to any length by the appropriate emergency measures. At first, however, external measures for long-term heat sink operation are not required. The above statement shows that the plant features a wide variety of measures aimed at a sustained dissipation of decay heat. Hence, no measures of improvements are applied.

Loss of primary heat sink combined with station blackout Following a station blackout, neither the station service power supply nor the emergency diesel generators (NSDA1) will be available. However, KBR still has the fall-back solution of the emergency feed power diesels (NSDA2) and the third grid connection. Coolant supply can thus be ensured by taking the measures discussed in section 0.8. If A1-15

an event occurs during power operation, the emergency feed power system will therefore be able to shut down the plant to “subcritical hot” and provide independent decay heat removal for some time. In case the emergency feed power diesels and the third grid connection are not credited, the emergency measures of choice are secondary and primary feed and bleed. Once the pressure in the steam generators has been relieved, the secondary feed measure would be applied using water inventory of the feed-water pipes, the feedwater tank orby taking a mobile fire fighting pump. Assuming the pressure can be successfully released from the steam generators (but there is no feeding), some time will be gained before the next measure (primary feed and bleed) is taken. By means of the accumulator, the latter will provide some more buffer time that will suffice to activate the third grid connection or the station service power supply. Depending on external measures both availability of the third grid connection and operation of the mobile pumps for longer periods of time as part of secondary and primary feed and bleed measures depend on the availability of fuel. Generally speaking, the procurement, delivery and connection of fuels are a routine process sufficiently detailed in the Operating Manual (BHB) and the implementation instructions contained in the Plant Organisation Manual (BOHB). To conclude, the variety of measures in place to ensure decay heat removal suggest that the plant will be safe even following a station blackout.

Management of severe accidents The policy of continuously improving the nuclear power plant KBR with regard to scientific and technological advancements has led to establishing a plurality of measures aimed at preventing severe accidents or, in the highly improbable case of such accidents occurring, to prevent or at least considerably constrain their effects on the plant and its environment. In the case of beyond design basis accidents, the operator has planned many organisational and technical measures and precautions to have the required employees and technical equipment available on-site. Minimum staffing of the shift personnel ensures that all emergency measures can be taken at any time, even in cases of beyond design basis accidents. Plant radio receivers and telephones are available for alerting the persons required to make up the emergency organisation team. Personnel bottlenecks can be made up for by requesting personnel working at other E.ON locations. Periodic emergency drills ensure that everything will work in a case of an emergency. Upon notification received from the affected power plant, E.ON Headquarters in Hanover will alert the Corporate Emergency organisation who will be responsible for communicating with the press and for making corporate decisions. Every plant has the equipment on site to execute the emergency procedures. When further equipment is necessary, this will concern commercially available components as used by fire brigades and emergency services. This will help to almost entirely avoid severe accident events or, should they occur, to significantly slow down the process of

A1-16

their effects which will provide extra time for the mobilisation of personnel and technical equipment to the site. Procurement of process and auxiliary materials is regulated within the implementation instructions such that there is always a minimum stock at hand. Important spares are kept on-site or can be got hold of from the manufacturers by means of contractually secured stand-by services. Following radiological relevant releases, the emergency organisation will have the radiation protection team perform the measurements in the plant's vicinity as specified in the surveillance concept; the team will also advise the competent emergency protection authority as to whether the public should be alerted. Various means of communication are available for on-site and off-site communication, including wired telephones, radios working at different frequency ranges, plant radio receivers, and satellite phones. A blackout-proof telephone line allows connection to the grid control centre for several hours. Sufficient Equipment is available on-site the plant to restore access to buildings blocked by external effects. External fire brigades, the technical emergency service or the national nuclear emergency group (www.khgmbh.de) with separate support contracts, are also available. When an accident with imputed activity release occurs an internal handling concept applies, i.e. the radiation protection unit will measure actual activity concentrations in occupied areas and define the appropriate measures. The control room can be connected to a circulating air filter which, despite the radioactivity, will allow the staff to stay and work in the room without respiratory equipment. When radiation levels prohibit any further use of the control room, the measures required to shut down the plant and to cool the fuel pool can still be taken via the emergency control room located in the bunkered emergency feed building at adequate distance from the main control room. Explosive gases are automatically detected and ventilation of the emergency feed building is set to recirculation mode. In this case, the emergency organisation will work from the back-up emergency support centre located on-site the nuclear power plant Brunsbüttel. In the German plants, safety level 4 activities are protection goal oriented, usually predefined by initiation criteria. The requirements for execution are described in the Emergency Manual. (Explanation for the English version: additionally to the Operational Manual there is the fully established Emergency Manual, which is continuously improved by the operator and supervised by the authority. In contrast to the international approach this Emergency Manual describes only severe accident measures at the safety level 4 and covers therefore preventive and mitigative measures.) Basically it can be assumed that facilities in flood-proof and earthquake-resistant buildings on demand available. Due to the geographical plant position, high tides and floods can be assumed not to occur suddenly, leaving enough time to build further barriers with on-site available equipment. Concerning the availability of power supply it will be distinguished between the loss of on-site power and the emergency diesel generators.

A1-17

The I & C design complies with the rules issued by the German Nuclear Safety Standards Commission (KTA) for emergency I & C. These rules describe requirements which measuring values have to be on display in the control room. Further the rules require the physical exposure of the I & C design. Furthermore, all relevant I & C devices are battery-buffered and are available for the specified time, in cases of complete loss of power. In addition, KBR has installed extra systems usable during beyond design basic accidents. Examples of such systems are the radioactivity monitoring of the containment venting system and the containment sampling system. The emergency procedures are protection goal oriented, not event oriented. Measures to be taken after core damage scenarios have to cover a wide range of potential events. Hence, in September 2010, EKK has ordered a SAMG concept (Severe Accident Management Guidelines) for the EKK plants. According documents will be compiled by AREVA.

Severe accidents measures for core cooling, for assuring containment integrity, and for limitation of radioactive releases into the environment The measures described in the Emergency Manual are aimed to prevent core damage and are dedicated to the safety level 4. They are associated with the plant's specific protection goals. First measures are dedicated to increase the coolant inventory as well as the restoration of core cooling in recirculation mode. Where the primary circuit is exposed to high pressure following core cooling failure, secondary and primary-side bleed & feed measures will be taken to lower the pressure and temperature in the primary circuit and to allow water to be fed by passive systems or to ensure feeding through low-pressure injection systems. Whereas, according to the Emergency Manual, some emergency measures will be taken at the same time, there is priority list specifying which measure must be taken when the specified initiation criteria are met. Secondary-side bleed & feed measures by means of a mobile fire fighting pump can go on without time constraints and can be taken even if the station AC-power supply and the battery system have failed; the same applies to the filtered venting of the reactor containment. Depending on the plant status, the amount of damage etc., the emergency organisation will decide whether previously failed systems will be tried to be restored. The Emergency Manual also describes procedures for restoring the AC-power supply. In addition to the four emergency diesel generators, the plant has four emergency feed power units located in the emergency feed building which is protected against external impacts. The emergency control room is also housed in this building. The above mentioned emergency measures can still be taken when the core is damaged. They are capable of terminating the process of core degradation or at least of considerably increasing the grace periods available until further measures need to be taken. If, in case of a meltdown, the reactor pressure vessel is assumed to have failed, the melt will come into contact with concrete. For many accident progression scenarios a A1-18

coolable configuration will be established. Therefore the molten corium concrete interaction can be avoided or stopped. Investigations about the consequences of a penetration of the concrete of the reactor building base mat have shown that, due to delay times and dilutions, the release of fission products can be decreased in a sustainable manner. In cases of severe core damages, hydrogen will be generated due to the chemical reaction between the fuel rod cladding material and the coolant. Additionally gases will be generated during a melt concrete interaction. Therefore, systems for measuring hydrogen concentrations and HVAC-fans exist to avoid inadmissible hydrogen concentrations in the containment atmosphere. Furthermore a system for H2recombination based on autocatalytic recombiners is installed throughout the containment that will recombine the H2 and turn it into water. These are passive systems working without external energy or auxiliary systems. Any hydrogen leaking from the containment towards the annular space in the reactor building is extracted by the annulus exhaust. Via periodic testing the containment's leakage rate is checked repeatedly. The leakage rate must be below the specified limits. In case of containment pressurization due to evaporation processes and/or RPV damages the containment pressure can be limited and decreased by operating the containment pressure suppression system and a filtered venting of the containment can be performed. Before that, the accident-proof sampling system can be used to evaluate the composition of nuclides in the containment and to estimate the activity releases during the venting process. Activity releases are reduced by the installed iodine and aerosol filters. The instruments in the vent stack measure how much activity is being released. The venting system can be restarted as often as necessary. Usability of the venting system with regard to its radiological conditions in a meltdown situation has been shown by an accessibility study. Due to the high robustness of the containment and the foreseen protection measures (filtered venting and passive autocatalytic recombiners) a containment failure is physically unreasonable. If a containment failure is assumed anyhow, any releases will be spread inside the annular space between containment and the reactor building. If the annular exhaust system is active, any air-borne activity will be filtered and released via the vent stack. An additional retention can be realized with the activation of the demand filter system. The results of the probabilistic safety analysis of nuclear power plant "KBR" have shown that, due to its robust and conservative design, the containment leak-tightness is not expected to fail until exposed to twice its design pressure. In order to ensure sustained subcriticality following a SCRAM in an accident event, the automatically initiated systems will feed borated water to the primary circuit. Boron injections are rated such that the reactor will remain permanently subcritical after the control elements have shut down the reactor. Also the negative temperature coefficients are taken into account by design. Control systems prevent the injection of deionate (demineralised water). Borated water is also used to cool the fuel elements in the spent fuel pool. Strictly speaking and owing to the geometry of the racks and the use of borated steel, the boA1-19

ron in the coolant is not necessary to ensure subcriticality. In normal operation conditions, the heads of the fuel elements are covered by several meters of water. If boiling should occur in the spent fuel pool, the water level will decrease very slowly causing the water level to drop and boric acid concentrations to increase. The established emergency procedures are able to restore the water in the pool to a more normal level by adding demineralised water or coolant from the flooding tanks. These procedures are also suitable means of preventing or reducing the effects of previous core damage. The fuel pool is located inside the containment which is designed to withstand high pressures, whereas the reactor building is able to resist external impacts.

A1-20

Annex 1

3

KKG / Grafenrheinfeld

Brief description of the nuclear power plant KKG The Grafenrheinfeld nuclear power plant is a single block power station and is located at left shore of the Main river at river kilometre 324.5 in the borough of Grafenrheinfeld, district of Schweinfurt in the administrative region of lower franconia (Federal State of Bavaria). The nuclear power plant is a pressurised water reactor (PWR) manufactured by KWU (Kraftwerk Union, today AREVA NP) featuring a reactor core of 193 fuel elements. It is a 4-loop plant comprising four steam generators, four lines of safety systems kept entirely separate (i.e. there are four trains for residual heat removal, 4 emergency feed power diesels generators, etc.), and four emergency feed power diesel units (for controlling external and other events). Thermal reactor capacity amounts to 3765 MW that is fed to one high-pressure and two low-pressure turbines to generate a gross electric power output of 1345 MW (net 1275 MW). The plant is cooled by two natural draught cooling towers, cooling water is sourced from the Main river. The reactor building houses all major safety-related components and is made of reinforced concrete (>> 1 m thick). Inside the reactor building, there is the full-pressure steel containment with walls several centimetres thick encompassing the primary circuit (consisting of the reactor pressure vessel, the pipes connected to it, the primary coolant pumps, etc.) with the steam generators and the (spent) fuel pool. The reactor produced its first self-sustaining chain reaction (first criticality) on 9 December 1981 and the nuclear power plant commenced commercial power operation on 17 June 1982. By 30 June 2011, it has generated about 300 billion kWh of electric energy (benchmark: the Federal Republic of Germany consumed approx. 538 billion kWh of electricity in 2010). Licensee of Grafenrheinfeld nuclear power plant is E.ON Kernkraft GmbH. The probabilistic safety analysis (PSA) so far performed for the periodic safety review (PSR) of KKG pursuant to BMU guidelines yields Level 1 PSA results (core damage frequency, CDF) clearly below the CDF target specified by IAEA for operational plants (< 1*10-4/a). Actual results are as low as those recommended for evolutionary power reactors (1*10-5/a); they also show how well-balanced the systems and plant engineering of KKG is. Level 2 PSA results (calculation of released activity and the associated frequency) show the very low frequency of major releases of fission products from KKG; the frequency of major releases is less than 1*10-9/a. Taken together, Level 1 and 2 PSA results show that KKG has a well-balanced safety concept and operates at a very high level of safety.

Earthquake For the site at a probability of exceedance of < 1*10-5 /a an earthquake with an intensity of 6.0 EMS/MSK needs to be considered. With reference to KTA 2201.1, a ground

A1-21

response spectrum including the associated rigid body accelerations (peak ground acceleration) has been determined for the design intensity of 6.0 EMS/MSK (see Fig. 1).

horizontal acceleration (m/s²)

10

1,66 0,83

1

0,83

0,33

0,1

0,01 0,1

1

10

100

frequency (Hz)

Fig. 1

design spectrum (horizontal component)

A seismological survey provided the basis of determining the required seismological engineering parameters which were then examined by a seismology expert acting on behalf of the nuclear supervisory authority. In addition, many more verifications were made. All verifications showed that the applied ground response spectrum is correct. The design of components and structures with regard to seismic effects is a must for accomplishing the following protection goals: a) control of reactivity, b) cooling of fuel elements, c) confinement of radioactive materials, and d) limitation of radiation exposure. Thus, all safety-related buildings and components are designed to withstand the design earthquake. Therefore no damages to safety-related structures or components are expected in case of design earthquake. In the event of an earthquake, external power supply is postulated not to be available. Emergency power supply is therefore designed for the design earthquake and installed with a redundant back-up. Apart from the four emergency diesel generators /ordinary back-up AC power source – NSDA1), there are another four emergency feed power diesels (diverse AC power source – NSDA2). A1-22

Due to the low intensity, a design earthquake can be assumed not to destroy the infrastructure. Employees and equipment will therefore have unhindered and undelayed access to the site. The potential maximum physical seismic magnitude is expected not to seriously damage the core or the nuclear fuel. The nuclear power plant is designed for a probability of earthquake events of ≤1*10-5 /a and a probability of flooding events of ≤ 1*10-4 /a pursuant to KTA 2207. Moreover, plant design includes considerable margins and provides for the potentially combined effects of earthquake and flood. Earthquake PSAs prepared for German nuclear power plants similar to KKG show that damaging loads and mechanisms will not substantially increase the core damage frequency even if the earthquake intensity is greater than that of the design earthquake. The high level of robustness and high standards of design also ensure that measures were taken as early as at the planning and building stages as well as by later retrofitting during power plant operation. This is further ensured by the plant being designed to withstand other external effects such as an aircraft crash or an explosion shock wave. There are thus no plans for taking further measures.

Flooding Flood design ratings are based on KTA 2207. Its methods were used to determine the design flood for a probability of exceedance of 10-4 /a. Permanent (structural) flood protection measures are in place to protect the actual plant against flooding. Design flood events require no temporary precautions and there are thus no plans for such precautions. Based on a discharge volume of HQ10000 = 2,783 m3/s, the water level in the Main river at the KKG location is HW10000 = MSL + 205.82 m. This design water level is about 0.70 m below the plant site level at MSL + 206.50 m and about 0.80 m below the plant's geodetic sea level (gates) at MSL + 206.60 m. With regard to the inland location, the first step was to determine the floodwater discharge and, at a second step, to apply adequate methods to them to compute the design water levels. Grafenrheinfeld nuclear power plant (KKG) is located about 8 km downstream Schweinfurt at the Main river 324 from its spring (inland location). Flood control at the KKG site was based on the standard floodwater discharge down the Main river and the resulting water level and determined at a probability of exceedance of 104/a (design water level correspondent to KTA 2207). A surveyor referenced the official data to determine the design flood elevation specific to the location. Further investigations were performed to check the design. All investigations revealed that the design criteria remain to be valid. Permanent (structural) flood protection measures are in place to protect the actual plant including all buildings and facilities against flooding. There is thus no need for further flood precautions. The design water level is about 0.70 m below the plant site level at MSL + 206.50 m and about 0.80 m below the plant's geodetic sea level (gates) at MSL + 206.60 m. Access to the emergency feed building are 1.7 m above the plant's geodetic sea level and therefore flood-proof. Buildings and ducts down to the plant's A1-23

geodetic sea level are impervious to water. The same applies to pipe and cable ducts to the buildings. Investigations into an external flood event performed for Grafenrheinfeld nuclear power plant show that, due to the altitude of both the plant and its vicinity, flooding of the plant site can be practically ruled out. Primary findings are that the plant site is 0.7 m above the anticipated flood water level and that the level of a once in 10,000 years flood is thus no risk to the plant. Higher water levels to be expected at less than a frequency of 10-4/a are mainly controlled by the dykes along the Main river. This is supported by the safety margin of the plant access level. Even if the plant site is flooded in case of a flood event in excess of the design water level, the required systems will remain operational due to the wide design margin, the long early warning time, and the temporary measures. Plant design is thus robust enough to make the plant reliably survive a flood.

Extreme weather The design considers the following weather loads: 

extremely strong winds,



extremely high and low ambient temperatures (water and air),



extreme rainfall,



biological effects (polluting load),



lightning stroke,



low tide.

Conventional construction standards as well as nuclear regulations were considered. Furthermore, the design assumed much greater loads to be safeguarded against, including external effects such as earthquakes, flooding, explosion shock waves or aircraft crashes. The design requirements for the safety-related buildings exceeded the extreme weather protection requirements by far. The design also takes into account the regulations provided for combinations of extreme weather conditions, so that relevant effects and in particular those with causal interdependencies are provided for. Metrological instruments are monitoring the ambient conditions permanently. Hence, automatic and administrative measures will be taken before the values attain the set points. In general, the positive results of extensive considerations of extreme weather conditions including their potential combination conclusively show that the plant is safe in case of extreme weather events. Due to the available design margins, no other measures are required to increase plant safety.

A1-24

Loss of power supply To ensure that operational and safety-related components maintain their AC supply, KKG uses a tiered backup system: the main grid connection, the stand-by grid connection, the emergency power supply (ordinary back-up AC power source - NSDA1), and the emergency feed power supply (diverse AC power source – NSDA2). The different stages of the AC power supply allow it to cover different failures of the AC grid. An additional third grid connection is available. Emergency power supply will be started if the main and stand-by grid connection is not available and a load shed on station service power supply is not successful. In that case, the emergency power supply is automatically activated to supply power to all safety-related components required for incident control and for sustaining the plant's safety objectives. Emergency power supply is marked by its four redundant trains in line with the plant's redundancy concept. In case of the failure of all four emergency power supplies, the emergency feed power supply will start up automatically in all four trains. The emergency feed power supply system can back up the vital functions of the decay heat removal system. Regulating applicable require, that the technical equipment and the fuel at hand ensure that both emergency diesel and emergency feed power supply by the diesel generator units is assured to last for 72 hours. Providing greater amounts of fuel allows this time to be extended if light equipment is used within 72 h and if heavy-duty equipment is used within more than 72 h (acc. to ENSREG Specification). In the event of an assumed total failure of the installed AC power and emergency diesel/emergency feed power diesel supplies, the battery-buffered redundant supply trains will supply power to the required I&C and necessary process components for at least 2 hours. At this stage, the available emergency procedures would initiate process orientated emergency actions to provide decay heat removal and to prevent core damage. A parallel means is to connect the third grid connection (buried) to try and restore the AC power supply. This may also be provided by a mobile stand-by generator available at the KKG plant. All of the above measures are preventive, that is to say, they are intended to retain the integrity of fuel elements, the primary cooling circuit and decay heat removal. In case a preventive measure is unavailable or fails, there are mitigative measures aimed at further controlling any potential damage. Considering all of the above measures arranged to ensure continuous operation on emergency power, to provide and maintain additional equipment in cases of an assumed failure of all emergency power supplies, to take emergency measures for uninterrupted decay heat removal, and to provide full mobility and transportation under serious failure modes, no other plant states can be identified that would require further and additional remedies. Some thought is given to the concept by using additional mobile diesel generators for recharging the batteries. In view of the amended Atomic Energy Act, all concepts and constraint assumptions are currently being reviewed.

A1-25

Loss of the primary heat sink A loss of the primary heat sink due to a blockage of intake points can be excluded because firstly the small required flow amount of water compared to the building dimensions and the opening cross-sections and secondly the very large distance between the two existing intake buildings. In addition are various connections of circuitry realized, so that is guaranteed in every case, the auxiliary cooling water supply. In case of failures of emergency diesel power-backed components belonging to the residual heat removal chain, the decay heat will be dissipated by enabling the emergency residual heat removal chain. The two trains of the emergency residual heat removal system are powered by the emergency feed diesel grid which is protected against external effects. In case of an interruption of cooling water (via intake or outflow, or service water system) due to an underwater blast wave, appropriate measures in accordance with the instruction or emergency manual are provided. If both the main and service water systems fail, the heat is discharged down the secondary side via the main steam relief station. First of all, the emergency feedwater system will be activated. In the long run, one emergency feed diesel is sufficient to ensure the emergency residual heat removal and respectively the feeding of the steam generator. Without any external support, the plant is able to run in this mode until the available oil and fuel quantities have been consumed. This is after a very long time of operation. If the service water system fails completely the demineralised water pools must be replenished by emergency measures. The necessary additional deionised water can be sucked out of the deionised supply system, the drinking water supply system or fire extinguishing system. Measures in non-power mode depend on the state of the plant and may be equivalent to power mode measures or those taken to cool the storage pond. Time constraints on using alternative heat sinks depend on the amount of fuel and coolant at hand. The time slot can be extended to any length by the appropriate emergency measures. At first, however, external measures for long-term heat sink operation are not required. The above statement shows that the plant features a wide variety of measures aimed at a sustained dissipation of post decay power. Therefore, no further action is requested

Loss of the primary heat sink following station blackout Following a station blackout, neither the station service power supply nor the emergency diesel generators (NSDA1) will be available. However, KKG still has the fall-back solution of the emergency feed diesel (NSDA2) and the third mains connection. Coolant supply can thus be ensured by taking the measures discussed in section 0.8. If an event occurs during power operation, the emergency feed water system will therefore A1-26

be able to shut down the plant to “sub critically hot” and provide independent decay heat removal for some time. In case the emergency feed diesels and the third grid connection are not credited, the emergency measures of choice are secondary and primary feed and bleed. Once pressure in the steam generators has been relieved, the secondary feed measure may happen using water inventory of the feed-water pipes, the feed-water tank orby taking a fire water pump. Assuming pressure can be successfully released from the steam generators (but there is no feeding), some time will be gained before the next measure (primary feed and bleed) is taken. By means of the accumulator, the latter will provide some more buffer time that will suffice to activate the third grid connection or adding the station service power circuits. Depending on external measures both availability of the third grid connection and operation of the mobile pumps for longer periods of time as part of secondary and primary feed and bleed measures depend on the availability of fuel. Generally speaking, the procurement, delivery and connection of fuels are a routine process sufficiently detailed in the Operating Manual (BHB) and the implementation instructions contained in the Plant Organisation Manual (BOHB). To conclude, the variety of measures in place to ensure decay heat removal suggest that the plant will be safe even following a station blackout.

Managing severe accidents The policy of continuously improving the nuclear power plant KKG with regard to scientific and technological advancements has led to establishing a plurality of measures aimed at preventing severe accidents or, in the highly improbable case of such accidents occurring, at preventing or at least considerably constraining their effects on the plant and its environment. In the case of beyond design basis accidents, the operator has planned many organisational and technical measures and precautions to have the required employees and technical equipment available on-site. Minimum staffing of the shift personnel ensures that all emergency measures can be taken at any time, even in cases of beyond design basis accidents. Plant radio receivers and telephones are available for alerting the persons required to make up the emergency organisation team. Personnel bottlenecks can be made up for by requesting personnel working at other E.ON locations. Periodic emergency drills ensure that everything will work in a case of an emergency. Upon notification received from the affected power plant, E.ON Headquarters in Hanover will alert the Corporate Emergency organisation who will be responsible for communicating with the press and for making corporate decisions. Every plant has the equipment on site to execute the emergency procedures. When further equipment is necessary, this will concern commercially available components as used by fire brigades and emergency services. This will help to almost entirely avoid severe accidents events or, should they occur, to significantly slow down the process of their effects which will provide extra time for the mobilisation of personnel and technical equipment to the site. A1-27

Procurement of process and auxiliary materials is regulated within the plant organisation manual instructions such that there is always a sufficient stock at hand. Important spares are kept on-site or can be got hold of from the manufacturers by means of contractually secured stand-by services. Following radiological relevant releases, the emergency organisation will have the Radiation Protection Team perform the measurements in the plant's vicinity as specified in the surveillance concept; the team will also advise the competent emergency protection authority as to whether the public should be alerted. Various means of communication are available for on-site and off-site communication, including wired telephones, radios working at different frequency ranges, plant radio receivers, and satellite phones. A blackout-proof telephone line allows connection to the grid control centre for several hours. Sufficient Equipment is available on-site the plant to restore access to buildings blocked by external effects. External fire brigades, the technical emergency service or the national nuclear emergency group (www.khgmbh.de) with separate support contracts, are also available. When an accident with imputed activity release occurs an internal handling concept applies, i.e. the radiation protection unit will measure actual activity concentrations in occupied areas and define the appropriate measures. The control room can be connected to a circulating air filter which, despite the radioactivity, will allow the staff to stay and work in the room without respiratory equipment. When radiation levels prohibit any further use of the control room, the measures required to shut down the plant and to cool the fuel pool can still be taken via the emergency control room located in the bunkered emergency feed building at adequate distance from the main control room. Explosive gases are automatically detected and ventilation of the emergency feed building can also be manually set to recirculation mode. In this case, the emergency organisation will work from the back-up emergency support centre located at an outdoor switching station in Schweinfurt. In the German plants, safety level 4 activities are protection goal oriented, usually predefined by initiation criteria. The requirements for execution are described in the Emergency Manual. (Explanation for the English version: Additionally to the Operational Manual there is the fully established Emergency Manual, which is continuously improved by the operator and supervised by the authority. In contrast to the international approach this Emergency Manual describes only severe accident measures at the safety level 4 and covers therefore preventive and mitigative measures.) Basically it can be assumed that facilities in flood-proof and earthquake-resistant buildings on demand available. Due to the geographical plant positions, high tides and floods can be assumed not to occur suddenly, leaving enough time to build further barriers with on-site available equipment. Concerning the availability of power supply it will be distinguished between the loss of on-site power and the emergency diesel generators. The I & C design complies with the rules issued by the GermanNuclear Safety Standards Commission (KTA) for emergency I & C. These rules describe requirements which measuring values have to be distributed to on display in the control room. Further the rules required the physical exposure of I & C design. Furthermore, all relevant I & C A1-28

devices are battery-buffered and are available for the specified time, in cases of complete loss of power. In addition, KKG has installed extra systems usable during beyond design basic accidents. Examples of such systems are the radioactivity monitoring of the containment venting system and the containment sampling system. The emergency procedures are protection goal oriented, not event oriented. Measures to be taken after core damage scenarios have to cover a wide range of potential events. Hence in September 2010, EKK has ordered a SAMG concept (Severe Accident Management Guidelines) for the EKK plants. According documents will be compiled by AREVA.

Severe accidents measures for core cooling, for assuring containment integrity, and for limitation of radioactive releases into the environment The measures belonging to safety level 4 described in the Emergency Manual are aimed to prevent core damage and are associated with the plant's specific protection goals. First measures are dedicated to increase the coolant inventory as well as the restoration of core cooling in recirculation mode. If the primary circuit is exposed to high pressure following core cooling failure, secondary and primary-side bleed & feed measures will be taken to lower the pressure and temperature in the primary circuit and to allow water to be fed by passive systems or to ensure feeding through low-pressure injection systems. According to the Emergency Manual, some emergency measures will be taken at the same time, however there is a priority list specifying which measure must be taken when the specified initiation criteria are met. Secondary-side bleed & feed measures by means of a mobile fire fighting pump can go on without time constraints and can be taken even if the station AC-power supply and the battery system have failed. That is also valid for filtered venting. Depending on the plant status, the amount of damage etc., the emergency organisation will decide whether previously failed systems will be tried to be restored. The Emergency Manual also describes procedures for restoring the AC-power supply. In addition to the four emergency diesel generators, the plant has four emergency feed power diesels located in the emergency feed building which is protected against external impacts. The emergency control room is also housed in this building. The above mentioned emergency measures can still be taken when the core is damaged. They are capable of terminating the process of core degradation or at least of considerably increasing the grace periods available until further measures need to be taken. If, in case of a meltdown, the reactor pressure vessel is assumed to have failed, the melt will come into contact with concrete. For many accident progression scenarios a cool able configuration will be established, so that the molten corium concrete interaction can be avoided or stopped. Investigations with regard to the consequences of a penetration of the concrete of the reactor building basement have shown that, due to delay times and dilutions, the release of fission products can be decreased in a sustainable manner. A1-29

In cases of severe core damages, hydrogen will be generated due to the chemical reaction between the fuel rod cladding material and the coolant. Additionally gases will be generated during a melt concrete interaction. Therefore, systems for measuring hydrogen concentrations and HVAC-fans exist to avoid inadmissible hydrogen concentrations in the containment atmosphere. Furthermore a system for H2 recombination based on autocatalytic recombiners is installed throughout the containment that will recombine the H2 and turn it into water. These are passive systems working without external energy or auxiliary systems. Any hydrogen leaking from the containment towards the annular space in the reactor building is extracted by the annulus exhaust. Via periodic testing the containment's leakage rate is checked repeatedly. The leakage rate must be below the specified limits. In case of containment pressurization due to evaporation processes and/or RPV damages the containment pressure can be limited and decreased by operating the containment pressure suppression system and a filtered venting of the containment can be performed. Before that, the accident-proof sampling system can be used to evaluate the composition of nuclides in the containment and to estimate the activity releases during the venting process. Activity releases are reduced by the installed iodine and aerosol filters. The instruments in the vent stack measure how much activity is being released. The venting system can be restarted as often as necessary. Usability of the venting system with regard to its radiological conditions in a meltdown situation has been shown by an accessibility study. Due to the high robustness of the containment and the foreseen protection measures (filtered venting and passive autocatalytic recombiners) a containment failure is physically unreasonable. If a containment failure is assumed anyhow, any releases will be spread inside the annular space between containment and the reactor building. If the annular exhaust system is active, any air-borne activity will be filtered and released via the vent stack. Depending on the type of reactor containment failure, the pressure in the annular space in the reactor building or the reactor auxiliary building may build up quickly. Even so and even if the exhaust system fails, there will be some natural draught up the vent stack. The results of the probabilistic safety analysis of nuclear power plant "KKG” have shown that, due to its robust and conservative design, the containment shell is not expected to fail until exposed to twice its design pressure. In order to ensure sustained subcriticality following a SCRAM in an accident event, the automatically initiated systems will feed borated water to the primary circuit. Boron injections are rated such that the reactor will remain permanently subcritical after the control elements have shut down the reactor. Also the negative temperature coefficients are taken into account by design. Control systems prevent the injection of deionate (demineralised water). Borated water is also used to cool the fuel elements in the spent fuel pool. Strictly speaking and owing to the geometry of the racks and the use of borated steel, the boron in the coolant is not necessary to ensure subcriticality. In normal operation conditions, the heads of the fuel elements are covered by several meters of water. If boiling should occur in the spent fuel pool, the water level will decrease very slowly causing the water level to drop and boric acid concentrations to increase. The emergency proA1-30

cedures described are able to restore the water in the pool to a more normal level by adding demineralised water or coolant from the flooding tanks. These procedures are also suitable means of preventing or reducing the effects of previous core damage. The fuel pool is located inside the containment which is designed to withstand high pressures, whereas the reactor building is able to resist external impacts.

A1-31

Annex 1

4

KKI 1 / Isar 1

Brief description of the nuclear power plant ISAR Unit 1 The nuclear power plant "Isar" consists of two units and is located at the Isar river at river kilometre 61, west of Niederaichbach barrage in the county of Landshut in Lower Bavaria, borough of Essenbach (Federal State of Bavaria). Its location is about 14 kilometres downstream Landshut. The power plant as a whole combines two different types of stations, i.e., a 69-series boiling water reactor (nuclear power plant "Isar" 1) and a KONVOI-line pressurised water reactor (nuclear power plant "Isar" 2). The safety installations of both units are entirely separate and potential interaction is thus prevented. Owing to the significant differences between the two units, this report only describes nuclear power plant "Isar" 1 ("KKI-1"). Nuclear power plant "Isar" 1 is a 69-series boiling water reactor (BWR) manufactured by KWU (Kraftwerk Union, today AREVA NP) featuring a reactor core of 592 fuel elements. Major properties of the boiling water reactor are its 4 main steam and feedwater lines, 8 safety relief valves, 3 diverse safety relief valves, 4 emergency cooling and residual heat removal systems, one steam-driven high-pressure injection system, one high-pressure refilling system and a low pressure core flooding system. Four emergency power buses are energised by 4 emergency diesel generators. Thermal reactor capacity amounts to 2575 MW that is fed to one high-pressure and two low-pressure turbines to generate a gross electric power output of 912 MW (net 878 MW). KKI-1's cooling water is sourced from the Isar river; a cell cooler is available for additionally cooling down the water before it is returned to the Isar river. KKI-1's reactor building houses all major safety-related system components. Inside the reactor building, there is the (spent) fuel pool and the steel containment that is several centimetres thick. The reactor pressure vessel as well as the dry well and wet well are inside the containment rendered inert by nitrogen when the plant is in operation. The reactor produced its first self-sustaining chain reaction (first criticality) on 20 November 1977 and the nuclear power plant commenced commercial power operation on 21 March 1979. It has generated more than 200 billion kWh of electric energy since (benchmark: the Federal Republic of Germany consumed approx. 538 billion kWh of electricity in 2010). Licensee of nuclear power plant "Isar" 1 is E.ON Kernkraft GmbH. The probabilistic safety analysis (PSA) so far performed for the periodic safety review (PSR) of KKI-1 pursuant to BMU guidelines yields Level 1 PSA results (core damage frequency, CDF) clearly below the CDF target specified by IAEA for operational plants (< 1*10-4/a). Actual results are as low as those recommended for evolutionary power reactors (1*10-5/a); they also show how well-balanced the systems and plant engineering of KKI-1 is. Level 2 PSA results (calculation of released activity and the associated frequency) show a very low frequency of major releases of fission products from KKI-1; the frequency of major releases is less than 1*10-8/a. Taken together, Level 1 and 2 PSA results show that KKI-1 has a well-balanced safety concept and operates at a very high level of safety.

A1-32

Earthquake For the site an earthquake with an intensity of 6.25 EMS/MSK at a probability of exceedance of < 1*10-5 /a needs to be considered. With reference to KTA 2201.1, a ground response spectrum including the associated rigid body accelerations (peak ground acceleration) has been determined for the design intensity of 6.25 EMS/MSK (see Fig. 1).

Fig. 1

design spectrum (horizontal component)

A seismological survey provided the basis of determining the required seismological engineering parameters which were then examined by a seismology expert acting on behalf of the nuclear supervisory authority. In addition, many more verifications were made. All verifications showed that the applied ground response spectrum is correct. The design of components and structures with regard to seismic effects is a must for accomplishing the following protection goals: a) control of reactivity, b) cooling of fuel elements, c) confinement of radioactive materials, and d) limitation of radiation exposure.

A1-33

Thus, all safety-related buildings and components are designed to withstand the design earthquake. Therefore no damages to safety-related structures or components are expected in case of design earthquake. In the event of an earthquake, external power supply is postulated not to be available. Emergency power supply is therefore designed for the design earthquake and installed with a redundant back-up. Due to the low intensity, a design earthquake can be assumed not to destroy the infrastructure. Employees and equipment will therefore have unhindered and undelayed access to the site. The potential maximum physical seismic magnitude is expected not to seriously damage the core or the nuclear fuel. The nuclear power plant is designed f or a probability of earthquake events of ≤1*10 5 /a and a probability of flooding events of ≤ 1*10-4 /a pursuant to KTA 2207. Moreover, plant design includes considerable margins and provides for the potentially combined effects of earthquake and flood. Earthquake PSAs prepared for Germannuclear power plants similar to KKI-1 show that damaging loads and mechanisms will not substantially increase the core damage frequency even if the earthquake intensity is greater than that of the design earthquake. The high level of robustness and high standards of design also ensure that measures were taken as early as at the planning and building stages as well as by later retrofitting during power plant operation. This is further ensured by the plant being designed to withstand other external effects such as an aircraft crash or an explosion shock wave. There are thus no plans for taking further measures.

Flooding Flood design ratings are based on KTA 2207. Its methods were used to determine the design flood for a probability of exceedance of 10-4 /a. The design of buildings assumed the following heights above datum: The maximum water level of a once in 10,000 years flood was specified as 374.32 m above mean sea level (design flood elevation). Since all entries to the plants are 375.5 m above mean sea level, a design flood can be controlled at all times. Permanent (structural) flood protection measures are in place to protect the actual plant against flooding. Design flood events require no temporary precautions and there are thus no plans for such precautions. With regard to the inside location, the first step was to determine the floodwater discharge options and, at a second step, to apply adequate methods to them to compute the design water levels. The resulting discharge volume amounts to 4200 m³/s equivalent to a level of 374.32 m above mean sea level. Thus, the entire plant is more than 1 m above the defined design water level such that the high plant site elevation (375.4 m above mean sea level) or its elevated layout sufficiently protect all buildings and system components.

A1-34

A surveyor referenced the official data to determine the design flood elevation specific to the location. Further investigations were performed to check the design. All investigations revealed that the design criteria remain to be valid. Placing the altitude of buildings at 375.5 m above mean sea level results in permanent flood protection because the altitude of safety-related parts of major buildings not affected by a flood could be shown to be above the on-site flood level determined in accordance with KTA 2207. Flooding due to dam failure will not affect plant safety and is provided for by the design. Moreover, to provide protection against flooding, the plant site has been raised to +375.40 m above mean sea level. Whereas the plant's base grade is still accessible in a design flood event, large parts of the surrounding Isar valley are not. In this situation, technical means such as air transport can still be used to supply the plant with the required resources. In the same way, employees can be flown into and out of the plant premises. Since there is but a gradual swell in the actual flood wave, there is a certain amount of lead time available to take these measures. In itself, the protection against flooding provided by the high level of robustness and the strict standards of plant design makes all major safety-related components intrinsically safe. The chosen location, the concept of protecting the plant against flooding, and the available design margins minimise the probability of consequential events of a flood beyond design flood ratings in excess of the events considered when assessing the design water level to be realistically anticipated. All entries to nuclear parts of the plant are at an altitude of 375.50 m above mean sea level. Since these flood elevations are very unlikely to ever occur, no probability of exceedance has been computed. A significant design margin is provided by the large difference between the anticipated design water level and the water level that the structural design is based upon. Furthermore, there is sufficient early warning time to take measures appropriate to safeguard against a flood in excess of the design water level. Plant design is thus robust enough to make the plant reliably survive a flood.

Extreme weather The design considers the following weather loads: 

extremely strong winds,



extremely high and low ambient temperatures (water and air),



extreme rainfall,



biological effects (polluting load),



lightning stroke,



low tide.

Conventional construction standards as well as nuclear regulations were considered. Furthermore, the design assumed much higher loads to be safeguarded against, including external effects such as earthquakes, high tides/floods, explosion shock waves or aircraft crashes. The design requirements for the safety-related buildings exceeded

A1-35

the extreme weather protection requirements by far. The design also takes into account the regulations provided for combinations of extreme weather conditions, specifically with regard to their causal interdependencies. Meteorological instruments are monitoring the ambient conditions permanently. Automatic and administrative measures will be taken before the values attain the set points. In general, the positive results of extensive considerations of extreme weather conditions including their potential combination conclusively show that the plant is safe to reliably survive extreme weather events. Due to the available design margins, no other measures are required to increase plant safety.

Loss of power supply KKI-1 has a tiered concept of automatically ensuring AC supply to operational and safety-related components, consisting of the main grid connection, the stand-by grid connection, the emergency power supply, and a buried cable directly connecting the plant with the hydropower plant at Niederaichbach. In case of grid failures, AC supply is ensured by these measures. An additional third grid connection is available. Emergency power supply will be started if the main and stand-by grid connection is not available and the load rejection on houseload is not successful. In that case, the emergency power supply is automatically activated to supply power to all safety-related components required for incident control and for sustaining the plant's safety objectives. Emergency power supply is marked by its four redundant trains in line with the plant's redundancy concept. In case of complete power supply failure, the hydro power station at Niederaichbach provides exclusive power supply. Furthermore the vital function of the decay heat removal systems can be assured. In addition, the core will be reliably cooled by the steam-driven injection system. Pursuant to the applicable regulations, the technical equipment and the fuel at hand ensure that the diesel generator units are able to supply emergency power for 72 hours. Providing greater amounts of fuel allows this time to be extended if light equipment is used within 72 h and if heavy-duty equipment is used within more than 72 h (acc. to ENSREG Specification). In the event of an assumed total failure of the installed AC power and emergency power units, the battery-buffered redundant supply trains will supply power to the required I&C and necessary process components for at least 2 hours. At this stage, the available emergency procedures would initiate process orientated emergency actions to provide decay heat removal and to prevent core damage. A parallel means is to try and restore the AC power supply by activating the exclusive connection to the hydropower station at Niederaichbach and by connecting the third grid connection (buried). This may also be provided by a mobile stand-by generator available at the KKI plant. All of the above measures are preventive, they are intended to retain the integrity of fuel elements, the reactor cooling circuit and decay heat removal. In case a preventive A1-36

measure is unavailable or fails, there are mitigative measures aimed at further controlling any potential damage. Considering all of the above measures arranged to ensure continuous operation on emergency power, to provide and maintain additional equipment in cases of an assumed failure of all emergency power supplies, to take emergency measures for uninterrupted decay heat removal, and to provide full mobility and transportation under serious failure modes, no other plant states can be identified that would require further and additional remedies. Some thought is given to the concept by using additional mobile diesel generators for recharging the batteries. In view of the amended Atomic Energy Act and depended on the plant status, all concepts and constraint assumptions are currently being reviewed.

Loss of the primary heat sink There is no risk of loosing the primary heat sink due to a the loss of the on-site preflooder as caused by a dam or weir failure, the reason being that two emergency power-backed auxiliary coolant pumps at discrete locations away from the coolant abstraction building will pump water from the natural course of the Isar river into the pond of the water intake building. Moreover other heat dissipation solutions are in place to cover for potential failures of the water intake and return pipes as well as the pump building. This will be in effect even in case of an assumed complete failure of the service water supply to the alternative heat sinks used for cooling the fuel pool and for removing the heat from the containment. The means provided for the latter is venting the containment. Other options are to supply fire-fighting water or drinking water. Time constraints on using alternative heat sinks depend on the amount of fuel and coolant at hand. The time slot can be extended to any length by appropriate emergency measures. At first, however, external measures for long-term heat sink operation are not required. The above statement shows that the plant features a wide variety of measures aimed at a sustained dissipation of post decay heat. Regardless of the above, there are plans or applications for further measures aimed at improving plant safety. Thus, two new stand-by diesel generator buildings will be erected to house a new air-cooled, diverse standby diesel generator. In order to operate more independently of the water intake building and the on-site preflooder a redundant supply of cooling water is envisaged.

Loss of the primary heat sink following station blackout Following a station blackout, neither the station service power supply nor the emergency diesel generators will be available. In this situation, KKI-1 can fall back on the batA1-37

tery-powered uninterruptible power supply. Since the uninterruptible power supply is directly linked to the reactor protection system, the appropriate reactor protection measures will be initiated. The core will be reliably cooled by the steam-driven injection system if and as long as the battery voltage is supplied. If, in the course of a station blackout, recharging the batteries will be impossible despite the many different emergency measures, the reactor pressure vessel will soon be pressure relieved while having the steam-driven injection system maintain the correct level of water. The pump of the injection system is driven by a turbine which is powered by steam from the reactor. These automatic measures ensure that heat from the core can be reliably dissipated for several hours. Various measures are available to use the fire fighting system to keep fill up water from the Isar river to the reactor pressure vessel (RPV) and the fuel pool, Thus, even if battery power supply cannot be restored, long-term cooling of the core is ensured in the event of a station blackout. Also for the non-power mode there are emergency measures that aim at supplying power and water to the RPV and filling up the fuel pool. One emergency measure is to restore the power supply via the (external) connection to the hydropower plant in Niederaichbach. Another option beside the use of the on-site mobile emergency power generator is to request further external units. But apart from that in general, the consumables, equipment etc. required to take emergency measures are available on-site at the necessary amount and quality. To conclude, the variety of measures in place to ensure decay heat removal suggest that the plant will be safe even following a station blackout. Nevertheless, there are plans for installing two new emergency diesel generator building and for replacing the appendant water-cooled emergency diesel generators with new air-cooled, diverse units.

Managing severe accidents The policy of continuously improving the nuclear power plant "Isar" 1 with regard to scientific and technological advancements has led to establishing a plurality of measures aimed at preventing severe accidents or, in the highly improbable case of such accidents occurring, to prevent or at least considerably constrain their effects on the plant and its environment. In the case of beyond basis design accidents, the operator has planned many organisational and technical measures and precautions to have the required employees and technical equipment available on-site. Minimum staffing of the shift personnel ensures that all emergency measures can be taken at any time, even in cases of beyond design accidents. Plant radio receivers and telephones are available for alerting the persons required to make up the emergency organisation team. Personnel bottlenecks can be made up for by requesting personnel working at other E.ON locations. Periodic emergency drills ensure that everything will work in a case of an emergency.

A1-38

Upon notification received from the affected power plant, E.ON Headquarters in Hanover will alert the corporate emergency organisation that will be responsible for communicating with the press and for making corporate decisions. Every plant has the equipment on site to execute the emergency procedures. When further equipment is necessary, this will concern commercially available components as used by fire brigades and emergency services. This will help to almost entirely avoid severe accidents events or, should they occur, to significantly slow down the process of their effects which will provides extra time for the mobilisation of personnel and technical equipment to the site. Procurement of process and auxiliary materials is regulated within the implementation instructions such that there is always a minimum stock at hand. Important spare parts are kept on-site or can be got hold of from the manufacturers by means of contractually secured stand-by services. Following radiological relevant releases, the emergency organisation will assign the Radiation Protection Team to perform the measurements in the plant's vicinity as specified in the surveillance concept; the team will also advise the competent emergency protection authority as to whether the public should be alerted. Various means of communication are available for on-site and off-site communication, including wired telephones, radios working at different frequency ranges, plant radio receivers, and satellite phones. A blackout-proof telephone line allows connection to the grid control centre for several hours. Sufficient Equipment is available on-site to restore access to buildings blocked by external effects. External fire brigades, the technical emergency service or the national nuclear emergency group (www.khgmbh.de) with separate support contracts, are also available. In the case of a radiological relevant release, an internal handling concept applies, i.e. that Radiation Protection staff will measure actual activity concentrations in occupied areas and define the appropriate measures. The control room can be connected to a circulating air filter which, despite the radioactivity, will allow the staff to stay and work in the room without respiratory equipment. When radiation levels prohibit any further use of the control room, the measures required to shut down the plant and to cool the fuel pool can still be taken via the remote shutdown station (partly bunkered) located in the central control & switchgear building at adequate distance from the main control room. Explosive gases are automatically detected and ventilation of the central control & switchgear building and of the remote shutdown station can be manually set to recirculation mode. In this case, the emergency organisation will work from the back-up emergency support centre located on-site the hydropower plant in Altheim. In the German plants, safety level 4 activities are protection goal oriented, usually predefined by initiation criteria. The starting conditions for execution are described in the Emergency Manual. (Explanation for the English version: Additionally to the Operational Manual there is the fully established Emergency Manual, which is continuously improved by the operator and supervised by the authority. In contrast to the international approach this Emergency Manual describes only severe accident measures at the safety level 4 and covers therefore preventive and mitigative measures.) A1-39

Basically facilities in flood-proof and earthquake-resistant buildings are on demand available. Due to the geographical plant positions, high tides and floods can be assumed not to occur suddenly, leaving enough time to build further barriers with on-site available equipment. Considering the loss of power supply a distinction between the station black out scenario with available emergency diesel generators is taken into account. The I & C design complies with the rules issued by the German Nuclear Safety Standards Commission (KTA) for emergency I & C. These rules describe requirements which measuring values have to be distributed to the control room displays. Further the rules required the physical exposure of I & C design. Furthermore, all relevant I & C devices are battery-buffered and available for the specified time, in cases of complete loss of power. In addition, KKI-1 has installed extra systems usable during beyond design basic accidents. Examples of such systems are the radioactivity monitoring of the containment venting system and the containment sampling system. The emergency procedures are protection goal oriented, not event oriented. Measures to be taken after core damage scenarios have to cover a wide range of potential events. In September 2010, EKK has ordered a SAMG concept (Severe Accident Management Guidelines) for the EKK plants. According documents will be compiled by AREVA.

Severe accident measures for core cooling, for retaining containment integrity, and for limiting radioactive releases into the environment The safety level 4 measures described in the Emergency Manual are aimed to prevent core damage. They are separately associated with the plant's protection goals. First measures are described to increase the coolant inventory as well as the restoration of core cooling. In case high pressure occurs in the reactor cooling circuit after core cooling has failed, automatic depressurization and the dedicated pressure limiting and control system will decrease the pressure in the cooling circuit such that low-pressure systems can be used for core cooling. Apart from automatic depressurization, there is also an option of manually starting the depressurization. If the pressure cannot be reduced, the high-pressure safety injection & refilling systems are available to maintain the water level inside the reactor pressure vessel. The steam-driven injection system can be used as well as to reduce the RPV pressure. At low pressure in the reactor cooling circuit, mobile fire fighting pumps can be used to refill the reactor pressure vessel as an emergency measures without time constraints and even during station black out and a battery supply failure. A further emergency measure is the filtered venting of the containment. This is also operable during station black out and a battery supply failure. Depending on the plant status, the amount of damage etc., the emergency organisation will decide whether previously failed systems will be tried to restart. A1-40

The Emergency Manual also describes procedures for restoring the AC-power supply. In addition to the four emergency diesel generators, emergency measures exist for restoring AC-power supply using a stand alone buried cable connected to the hydropower plant in Niederaichbach. The above emergency measures can still be taken when the core is damaged. They are capable of terminating the process of core destruction or at least of considerably increasing the time available until further measures need to be taken. If, in case of a meltdown, the reactor pressure vessel is assumed to fail, the melt will propagate to the lining chamber, delayed by the structures in the control rod drive chamber and the containment shell. In the lining chamber, melt and concrete would have contact. For many accident progression scenarios a coolable configuration will be established. Therefore the molten corium concrete interaction can be avoided or stopped. Investigations about the consequences of a penetration of the concrete of the reactor building basemat have shown that, due to delay times and dilutions, the release of fission products can be decreased in a sustainable manner. In cases of severe core damages, hydrogen will be generated due to the chemical reaction between fuel rod cladding and coolant. Therefore, systems for measuring hydrogen concentrations and HVAC-fans exist to avoid inadmissible hydrogen concentrations in the containment atmosphere. Furthermore, a hydrogen decomposition system is installed which recombines the hydrogen to water. Any hydrogen leakages from the containment towards the annular space are extracted by the annulus exhaust system. Periodical tests will measure the containment's leakage rate to prevent it from exceeding the specified limits. In case of containment pressurization due to evaporation processes and/or RPV damages the containment pressure can be limited and decreased by operating the containment pressure suppression system and a filtered venting of the containment can be performed. Before that, the accident-proof sampling system can be used to evaluate the composition of nuclides in the containment and to estimate the activity releases during the venting process. Activity releases are reduced by the installed iodine and aerosol filters. The instruments in the vent stack measure how much activity is being released. The venting system can be restarted as often as necessary. Usability of the venting system with regard to its radiological conditions in a meltdown situation has been shown by an accessibility study. If a containment failure is assumed, any release will spread inside the reactor building. If the annular exhausts system is operable, air-borne activity will be filtered and transmitted to the vent stack. Depending on the containment failure, the pressure in the reactor building, the turbine building or the auxiliary can increase rapidly. Even if the exhaust system isn’t available; there will still be a natural draft up to the air chimney. The results of the probabilistic safety analysis of nuclear power plant "Isar" 1 have shown that, due to its robust and conservative design, the containment may not be expected to fail until exposed to more than twice its design pressure. In order to ensure subcriticality following a SCRAM, all control rods will be inserted hydraulically into the reactor core. Simultaneously with the SCRAM, the electric control rod drives are activated to lock the control rods in their upper position. Electrically insertion of the control rods and shut off the reactor internal circulation pumps are redunA1-41

dant measures for achieving subcriticality. An additional diverse system is the boron control system initiating an injection of pentaborat solution into the reactor. Sufficient shutdown reactivity assures that the reactor will remain permanently subcritical after the SCRAM. The negative temperature coefficient is taken into account in a conservative manner. Demineralised water is used to cool the fuel elements in the fuel pool. The subcriticality is ensured by the geometry of the racks and the use of boron steel. Under undisturbed conditions, the fuel elements are covered in water several metres deep. If boiling should occur in the fuel pool the water level will decrease very slowly. The procedures described are able to restore the water in the fuel pool to a specified level by filling with demineralised water, pure water or using mobile fire fighting pumps. These procedures are suitable to terminate or reduce the effects of previous fuel element damage. The spent fuel pool is located inside the reactor building which is designed to withstand a design earthquake and a design flood.

A1-42

Annex 1

5

KKI 2 / Isar 2

Brief description of the nuclear power plant KKI 2 The nuclear power plant "Isar" consists of two units and is located at the Isar river at river kilometre 61, west of Niederaichbach barrage in the county of Landshut in Lower Bavaria, borough of Essenbach (Federal State of Bavaria). Its location is about 14 kilometres from Landshut downstream. The power plant as a whole combines two different types of station, i.e. a 69-series boiling water reactor (nuclear power plant "Isar" 1) and a KONVOI-type pressurised water reactor (nuclear power plant "Isar" 2). The safety installations of both units are entirely separate and potential interaction is thus prevented. Owing to the significant differences between the two units, this report only describes nuclear power plant "Isar 2” ("KKI-2"). Nuclear power plant "Isar 2” is a KONVOI-type pressurised water reactor (PWR) manufactured by KWU (Kraftwerk Union, today AREVA NP) featuring a reactor core of 193 fuel elements. It is a 4-loop plant comprising four steam generators, four lines of safety systems kept entirely separate (i.e. there are four trains for residual heat removal, 4 emergency diesel generators, etc.), and four supplemental emergency feed power diesels (for controlling external and other events). Thermal reactor capacity amounts to 3950 MW that is fed to one high-pressure and three low-pressure turbines to generate a gross electric power output of 1485 MW (net 1410 MW). KKI-2 is cooled by a natural draught cooling tower, cooling water is sourced from the Isar river. KKI-2's reactor building houses all major safety-related components and is made of reinforced concrete (>> 1 m thick). Inside the reactor building, there is the full-pressure steel containment with walls several centimetres thick encompassing the primary circuit (consisting of the reactor pressure vessel, the pipes connected to it, the primary coolant pumps, etc.) with the steam generators and the (spent) fuel pool. The reactor produced its first self-sustaining chain reaction (first criticality) on 15 January 1988 and the nuclear power plant commenced commercial power operation on 9 April 1988. By 30 June 2011, it has generated about 265 billion kWh of electric energy (benchmark: the Federal Republic of Germany consumed approx. 538 billion kWh of electricity in 2010). Licensees of nuclear power plant "Isar 2” are E.ON Kernkraft GmbH and Stadtwerke München GmbH. The probabilistic safety analysis (PSA) so far performed for the periodic safety review (PSR) of KKI-2 pursuant to BMU guidelines yields Level 1 PSA results (core damage frequency, CDF) clearly below the CDF target specified by IAEA for operational plants (< 1*10-4/a). Actual results are as low as those recommended for evolutionary power reactors (1*10-5/a); they also show how well-balanced the systems and plant engineering of KKI-2 is. Level 2 PSA results (calculation of released activity and the associated frequency) show the very low frequency of major releases of fission products from KKI2; the frequency of major releases is less than 1*10-9/a. Taken together, Level 1 and 2 PSA results show that KKI-2 has a well-balanced safety concept and operates at a very high level of safety.

A1-43

Earthquake For the site at a probability of exceedance of < 1*10-5 /a an earthquake with an intensity of 6.25 EMS/MSK needs to be considered. With reference to KTA 2201.1, a ground response spectrum including the associated rigid body accelerations (peak ground acceleration) has been determined for the design intensity of 7.25 EMS/MSK (see Fig. 1).

10

horizontal acceleration (m/s²)

2,34

1,96 0,75

1

0,75

0,19

0,1

0,01 0,1

1

10

100

frequency (Hz)

Fig. 1

design spectrum (horizontal component)

A seismological survey provided the basis of determining the required seismological engineering parameters which were then examined by a seismology expert acting on behalf of the nuclear supervisory authority. In addition, many more verifications were made. All verifications showed that the applied ground response spectrum is correct. The design of components and structures with regard to seismic effects is a must for accomplishing the following protection goals: a) control of reactivity, b) cooling of fuel elements, c) confinement of radioactive materials, and d) limitation of radiation exposure. Thus, all safety-related buildings and components are designed to withstand the design earthquake. Therefore no damages to safety-related structures or components are expected in case of design earthquake.

A1-44

In the event of an earthquake, external power supply is postulated not to be available. Emergency power supply is therefore designed for the design earthquake and installed with a redundant back-up. Apart from the four emergency diesel generators /ordinary back-up AC power source – NSDA1), there are another four emergency feed power diesels (diverse AC power source – NSDA2). Due to the low intensity, a design earthquake can be assumed not to destroy the infrastructure. Employees and equipment will therefore have unhindered and undelayed access to the site. The potential maximum physical seismic magnitude is expected not to seriously damage the core or the nuclear fuel. The nuclear power plant is designed for a probability of earthquake events of ≤1*10-5 /a and a probability of flooding events of ≤ 1*10-4 /a pursuant to KTA 2207. Moreover, plant design includes considerable margins and provides for the potentially combined effects of earthquake and flood. Earthquake PSAs prepared for German nuclear power plants similar to KKI-2 show that damaging forces and mechanisms will not substantially increase the core damage frequency even if the earthquake intensity is greater than that of the design earthquake. The high level of robustness and high standards of design also ensure that measures were taken as early as at the planning and building stages as well as by later retrofitting during power plant operation. This is further ensured by the plant being designed to withstand other external effects such as an aircraft crash or an explosion shock wave. There are thus no plans for taking further measures.

Flooding Flood protection is based on KTA 2207. Its methods were used to determine the design flood for a probability of exceedance of 10-4 /a. The design of buildings assumed the following heights: The maximum water level of a once in 10,000 years flood was specified as 374.32 m above mean sea level for the location of KKI-1. In a conservative assumption, the maximum water level at the KKI-2 site (upstream KKI-1) was specified as 374.93 m above mean sea level (design flood elevation). Since all entries to the plant are 375.5 m above mean sea level, a design flood can be controlled at all times. Permanent (structural) flood protection measures are in place to protect the actual plant against flooding. Design flood events require no temporary precautions and there are thus no plans for such precautions. With regard to the inland location, the first step was to determine the floodwater flow and, regarding this at a second step, to compute the design water levels in applying adequate methods. As to the probability of diverse flood elevations at the site data of the reference level Landau were evaluated basing on measured water flows between 1926 and 1990. In order to derive the water flow at the site from this data the factor 0,968 was established. In taking the data between 1926 and 1958 the probability of exceedance of 10-4/a was deduced by extrapolation beyond HQ1000. The resulting flow volume amounts to 4200 m³/s equivalent to a level of 374.93 m above mean sea level. Thus, the entire plant is more than 1 m above the defined design water level such that A1-45

the high plant site elevation (375.4 m above mean sea level) or its elevated layout sufficiently protects all buildings and system components. A surveyor referenced the official data to determine the design flood elevation specific to the location. Further investigations were performed to check the design. All investigations revealed that the design criteria remain to be valid. Placing the altitude of buildings at 375.5 m above mean sea level results in permanent flood protection because the altitude of safety-related parts of major buildings not affected by a flood could be shown to be above the on-site flood level determined in accordance with KTA 2207. Flooding due to dam failure will not affect plant safety and is provided for by the design. Moreover, to provide protection against flooding, the plant site has been raised to +375.40 m. Whereas the plant's base grade is still accessible in a design flood event, large parts of the surrounding Isar valley are not. In this situation, technical means such as air transport can still be used to supply the plant with the required resources. In the same way, employees can be flown into and out of the plant premises. Since there is but a gradual swell in the actual flood wave, there is a certain amount of lead time available to take these measures. In itself, the protection against flooding provided by the high level of robustness and the strict standards of plant design makes all major safety-related components intrinsically safe. The chosen location, the concept of protecting the plant against flooding, and the available design margins minimise the probability of consequential events of a flood beyond design flood ratings in excess of the events considered when assessing the design water level to be realistically anticipated. A significant design margin is provided by the large difference between the anticipated design water level and the water level that the structural design is based upon. Furthermore, there is sufficient early warning time to take measures appropriate to safeguard against a flood in excess of the design water level. Plant design is thus robust enough to make the plant reliably survive a flood.

Extreme weather The design considers the following weather loads: 

extremely strong winds,



extremely high and low ambient temperatures (water and air),



extreme rainfall,



biological effects (polluting load),



lightning stroke,



low tide.

Conventional construction standards as well as nuclear regulations were considered. Furthermore, the design assumed much greater loads to be safeguarded against, including external effects such as earthquakes, floods, explosion shock waves or aircraft A1-46

crashes. The design requirements for the safety-related buildings exceeded the extreme weather protection requirements by far. The design also takes into account the regulations provided for combinations of extreme weather conditions, so that relevant effects and in particular those with causal interdependencies are provided for. Metrological instruments are monitoring the ambient conditions permanently. Hence, automatic and administrative measures will be taken before the values attain the set points. In general, the positive results of extensive considerations of extreme weather conditions including their potential combination conclusively show that the plant is safe in case of extreme weather events. Due to the available design margins, no other measures are required to increase plant safety.

Loss of Power supply KKI-2 has a tiered concept of automatically ensuring AC supply to operational and safety-related components, consisting of the main grid connection, the stand-by grid connection, the emergency power supply (ordinary back-up AC power source NSDA1), and the emergency feed power supply (diverse AC power source – NSDA2). The different stages of the AC power supply allow to cover different failures of the AC grid. An additional third grid connection is available. Emergency power supply will be started if the main and stand-by grid connection is not available and a load shed on houseload is not successful. In that case, the emergency power supply is automatically activated to supply power to all safety-related components required for incident control and for sustaining the plant's safety objectives. Emergency power supply is marked by its four redundant trains in line with the plant's redundancy concept. In case of a failure of all four emergency power supplies the emergency feed power supplies will be started automatically in all four trains. The emergency feed power supply system is able to back up the vital functions of the decay heat removal facilities. Pursuant to the applicable regulations, the technical equipment and the fuel at hand ensure that both emergency power supply and emergency feed power supply by the diesel generator units is assured to last for 72 hours. Providing greater amounts of fuel allows this time to be extended if light equipment is used within 72 h and if heavy-duty equipment is used within more than 72 h (acc. to ENSREG Specification). In the event of an assumed total failure of the installed AC power and emergency power/emergency feed power supplies, the battery-buffered redundant supply trains will supply power to the required I&C and necessary process components for at least 2 hours. At this stage, the available emergency procedures would initiate process orientated emergency actions to provide decay heat removal and to prevent core damage. A parallel means is to connect the third grid connection (buried) to try and restore the AC power supply. This may also be provided by a mobile stand-by generator available at the KKI plant. All of the above measures are preventive, that is to say, they are intended to retain the integrity of fuel elements, the primary cooling circuit and decay heat removal. In case a A1-47

preventive measure is unavailable or fails, there are mitigative measures aimed at further controlling any potential damage. Considering all of the above measures arranged to ensure continuous operation on emergency power, to provide and maintain additional equipment in cases of an assumed failure of all emergency power supplies, to take emergency measures for uninterrupted decay heat removal, and to provide full mobility and transportation under serious failure modes, no other plant states can be identified that would require further and additional remedies. Some thought is given to the concept by using additional mobile diesel generators for recharging the batteries. In view of the amended Atomic Energy Act, all concepts and constraint assumptions are currently being reviewed.

Loss of the primary heat sink A loss of the primary ultimate heat sink due to an inadmissible blockage of the main water inlets can be excluded because of the existence of two separated water intake buildings being on different sides of the weir and the associated two service water pump house structures. In case of failures of emergency diesel power-backed components belonging to the residual heat removal chain, the decay heat will be dissipated by enabling the emergency residual heat removal chain. The two trains of the emergency residual heat removal system are powered by the emergency feed diesel network which is protected against external effects. If both the main water and the service water systems fail, the heat is discharged down the secondary side via the main steam relief station. First of all, the emergency feedwater system will be activated. In the long run, one emergency feed diesel is sufficient to ensure the emergency residual heat removal and respectively the feeding of the steam generator. Without any external support, the plant is able to run in this mode until the available oil and fuel quantities have been consumed. This is after a very long time of operation. If the service water system fails completely the demineralised water pools must be replenished by emergency measures. This happens in using fire pumps delivering either from the cooling tower trap or the ditch down to the Isar river. Measures in non-power mode depend on the state of the plant and may be equivalent to power mode measures or those taken to cool the fuel pool. Time constraints on using alternative heat sinks depend on the amount of fuel and coolant at hand. The time slot can be extended to any length by the appropriate emergency measures. At first, however, external measures for long-term heat sink operation are not required. The above statement shows that the plant features a wide variety of measures aimed at a sustained dissipation of decay heat. There are plans for improving the situation by installing a 1 MVA power stand-by unit.

A1-48

Loss of the primary heat sink following station blackout Following a station blackout, neither the station service power supply nor the emergency diesel generators (NSDA1) will be available. However, KKI-2 still has the fall-back solution of the emergency feed diesels (NSDA2) and the third grid connection. Coolant supply can thus be ensured by taking the measures discussed in section 0.8. If an event occurs during power operation, the emergency feed water system will therefore be able to shut down the plant to “subcritical hot” and provide independent decay heat removal for some time. In case the emergency feed diesels and the third grid connection are not credited, the emergency measures of choice are secondary and primary feed and bleed. Once pressure in the steam generators has been relieved, the secondary feed measure may happen using water inventory of the feed-water pipes, the feed-water tank orby taking a fire water pump. Assuming pressure can be successfully released from the steam generators (but there is no feeding), some time will be gained before the next measure (primary feed and bleed) is taken. By means of the accumulator, the latter will provide some more buffer time that will suffice to activate the third grid connection or adding the station service power circuits. Depending on external measures both availability of the third grid connection and operation of the mobile pumps for longer periods of time as part of secondary and primary feed and bleed measures depend on the availability of fuel. Generally speaking, the procurement, delivery and connection of fuels are a routine process sufficiently detailed in the Operating Manual (BHB) and the implementation instructions contained in the Plant Organisation Manual (BOHB). To conclude, the variety of measures in place to ensure decay heat removal suggest that the plant will be safe even following a station blackout.

Managing severe accidents The policy of continuously improving the nuclear power plant KKI 2 with regard to scientific and technological advancements has led to establishing a plurality of measures aimed at preventing severe accidents or, in the highly improbable case of such accidents occurring, to prevent or at least considerably constrain their effects on the plant and its environment. In the case of beyond design basis accidents, the operator has planned many organisational and technical measures and precautions to have the required employees and technical equipment available on-site. Minimum staffing of the shift personnel ensures that all emergency measures can be taken at any time, even in cases of beyond design basis accidents. Plant radio receivers and telephones are available for alerting the persons required to make up the emergency organisation team. Personnel bottlenecks can be made up for by requesting personnel working at other E.ON locations. Periodic emergency drills ensure that everything will work in a case of an emergency.

A1-49

Upon notification received from the affected power plant, E.ON Headquarters in Hanover will alert the Corporate Emergency organisation who will be responsible for communicating with the press and for making corporate decisions. Every plant has the equipment on site to execute the emergency procedures. When further equipment is necessary, this will concern commercially available components as used by fire brigades and emergency services. This will help to almost entirely avoid severe accidents events or, should they occur, to significantly slow down the process of their effects which will provide extra time for the mobilisation of personnel and technical equipment to the site. Procurement of process and auxiliary materials is regulated within the implementation instructions such that there is always a minimum stock at hand. Important spares are kept on-site or can be got hold of from the manufacturers by means of contractually secured stand-by services. Following radiological relevant releases, the emergency organisation will have the Radiation Protection Team perform the measurements in the plant's vicinity as specified in the surveillance concept; the team will also advise the competent emergency protection authority as to whether the public should be alerted. Various means of communication are available for on-site and off-site communication, including wired telephones, radios working at different frequency ranges, plant radio receivers, and satellite phones. A blackout-proof telephone line allows connection to the grid control centre for several hours. Sufficient Equipment is available on-site the plant to restore access to buildings blocked by external effects. External fire brigades, the technical emergency service or the national nuclear emergency group (www.khgmbh.de) with separate support contracts, are also available. When an accident with imputed activity release occurs an internal handling concept applies, i.e. Radiation Protection will measure actual activity concentrations in occupied areas and define the appropriate measures. The control room can be connected to a circulating air filter which, despite the radioactivity, will allow the staff to stay and work in the room without respiratory equipment. When radiation levels prohibit any further use of the control room, the measures required to shut down the plant and to cool the fuel pool can still be taken via the emergency control room located inside the bunkered emergency feed building at adequate distance from the main control room. Explosive gases are automatically detected and ventilation of the emergency feed building can also be manually set to recirculation mode. In this case, the emergency organisation will work from the back-up emergency support centre located on-site the hydropower plant in Altheim. In the German plants, safety level 4 activities are protection goal oriented, usually predefined by initiation criteria. The requirements for execution are described in the Emergency Manual. (Explanation for the English version: Additionally to the Operational Manual there is the fully established Emergency Manual, which is continuously improved by the operator and supervised by the authority. In contrast to the international approach this Emergency Manual describes only severe accident measures at the safety level 4 and covers therefore preventive and mitigative measures.)

A1-50

Basically it can be assumed that facilities in flood-proof and earthquake-resistant buildings on demand available. Due to the geographical plant positions, high tides and floods can be assumed not to occur suddenly, leaving enough time to build further barriers with on-site available equipment. Concerning the availability of power supply it will be distinguished between the loss of on-site power and the emergency diesel generators. The I & C design complies with the rules issued by the GermanNuclear Safety Standards Commission (KTA) for emergency I & C. These rules describe requirements which measuring values have to be on display in the control room. Further the rules require the physical exposure of the I & C design. Furthermore, all relevant I & C devices are battery-buffered and are available for the specified time, in cases of complete loss of power. In addition, KKI-2 has installed extra systems usable during beyond design basic accidents. Examples of such systems are the radioactivity monitoring of the containment venting system and the containment sampling system. The emergency procedures are protection goal oriented, not event oriented. Measures to be taken after core damage scenarios have to cover a wide range of potential events. Hence, in September 2010, EKK has ordered a SAMG concept (Severe Accident Management Guidelines) for the EKK plants. According documents will be compiled by AREVA.

Severe accident measures for core cooling, for assuring containment integrity, and for limitation of radioactive releases into the environment The measures belonging to safety level 4 described in the Emergency Manual are aimed to prevent core damage and are associated with the plant's specific protection goals. First measures are dedicated to increase the coolant inventory as well as the restoration of core cooling in recirculation mode. If the primary circuit is exposed to high pressure following core cooling failure, secondary and primary-side bleed & feed measures will be taken to lower the pressure and temperature in the primary circuit and to allow water to be fed by passive systems or to ensure feeding through low-pressure injection systems. According to the Emergency Manual, some emergency measures will be taken at the same time, however there is a priority list specifying which measure must be taken when the specified initiation criteria are met. Secondary-side bleed & feed measures by means of a mobile fire fighting pump can go on without time constraints and can be taken even if the station AC-power supply and the battery system have failed. That is also valid for filtered venting. Depending on the plant status, the amount of damage etc., the emergency organisation will decide whether previously failed systems will be tried to be restored. The Emergency Manual also describes procedures for restoring the AC-power supply. In addition to the four emergency diesel generators, the plant has four emergency feed power diesels located in the emergency feed building which is protected against external impacts. The emergency control room is also housed in this building.

A1-51

The above mentioned emergency measures can still be taken when the core is damaged. They are capable of terminating the process of core degradation or at least of considerably increasing the grace periods available until further measures need to be taken. If, in case of a meltdown, the reactor pressure vessel is assumed to have failed, the melt will come into contact with concrete. For many accident progression scenarios a coolable configuration will be established so that the molten corium concrete interaction can be avoided or stopped. Investigations with regard to the consequences of a penetration of the concrete of the reactor building basement have shown that, due to delay times and dilutions, the release of fission products can be decreased in a sustainable manner. In cases of severe core damages, hydrogen will be generated due to the chemical reaction between the fuel rod cladding material and the coolant. Additionally gases will be generated during a melt concrete interaction. Therefore, systems for measuring hydrogen concentrations and HVAC-fans exist to avoid inadmissible hydrogen concentrations in the containment atmosphere. Furthermore a system for H2 recombination based on autocatalytic recombiners is installed throughout the containment that will recombine the H2 and turn it into water. These are passive systems working without external energy or auxiliary systems. Any hydrogen leaking from the containment towards the annular space in the reactor building is extracted by the annulus exhaust. Via periodic testing the containment's leakage rate is checked repeatedly. The leakage rate must be below the specified limits. In case of containment pressurization due to evaporation processes and/or RPV damages the containment pressure can be limited and decreased by operating the containment pressure suppression system and a filtered venting of the containment can be performed. Before that, the accident-proof sampling system can be used to evaluate the composition of nuclides in the containment and to estimate the activity releases during the venting process. Activity releases are reduced by the installed iodine and aerosol filters. The instruments in the vent stack measure how much activity is being released. The venting system can be restarted as often as necessary. Usability of the venting system with regard to its radiological conditions in a meltdown situation has been shown by an accessibility study. Due to the high robustness of the containment and the foreseen protection measures (filtered venting and passive autocatalytic recombiners) a containment failure is physically unreasonable. If a containment failure is assumed anyhow, any releases will be spread inside the annular space between containment and the reactor building. If the annular exhaust system is active, any air-borne activity will be filtered and released via the vent stack. Depending on the type of reactor containment failure, the pressure in the annular space in the reactor building or the reactor auxiliary building may build up quickly. Even so and even if the exhaust system fails, there will be some natural draught up the vent stack. The results of the probabilistic safety analysis of nuclear power plant "KKI 2” have shown that, due to its robust and conservative design, the containment shell is not expected to fail until exposed to twice its design pressure.

A1-52

In order to ensure sustained subcriticality following a SCRAM in an accident event, the automatically initiated systems will feed borated water to the primary circuit. Boron injections are rated such that the reactor will remain permanently subcritical after the control elements have shut down the reactor. Also the negative temperature coefficients are taken into account by design. Control systems prevent the injection of deionate (demineralised water). Borated water is also used to cool the fuel elements in the spent fuel pool. Strictly speaking and owing to the geometry of the racks and the use of borated steel, the boron in the coolant is not necessary to ensure subcriticality. In normal operation conditions, the heads of the fuel elements are covered by several meters of water. If boiling should occur in the spent fuel pool, the water level will decrease very slowly causing the water level to drop and boric acid concentrations to increase. The emergency procedures described are able to restore the water in the pool to a more normal level by adding demineralised water or coolant from the flooding tanks. These procedures are also suitable means of preventing or reducing the effects of previous core damage. The fuel pool is located inside the containment which is designed to withstand high pressures, whereas the reactor building is able to resist external impacts.

A1-53

Annex 1

6

KKU / Unterweser

Brief description of the NPP KKU The nuclear power plant "Unterweser" is a single unit power station and is located at western (left) shore of the Weser river at lower-Weser-river-kilometre 52 about 6km south of Nordenham and 11km north of Brake in the borough of Stadland, district of Wesermarsch (Federal State of lower Saxony). The nuclear power plant is a plant-type 2 pressurised water reactor (PWR) manufactured by KWU (Kraftwerk Union, today AREVA NP) featuring a reactor core of 193 fuel elements. It is a 4-loop plant comprising four steam generators, four lines of safety systems kept entirely separate (i.e. four trains for emergency and residual heat removal, four emergency diesel generators, etc.), and two supplemental emergency condition diesel units for controlling external events. Thermal reactor capacity amounts to 3900 MW that is fed to one high-pressure and three low-pressure turbines to generate a gross electric power output of 1410 MW (net 1345 MW). The plant is cooled by the river Weser. The reactor building houses all major safety-related components and is made of reinforced concrete. Inside the reactor building, there is the full-pressure steel containment with walls several centimetres thick encompassing the primary circuit (consisting of the reactor pressure vessel, the pipes connected to it, the primary coolant pumps, etc.) with the steam generators and the (spent) fuel pool. The reactor produced its first self-sustaining chain reaction (first criticality) on 16 September 1978 and the nuclear power plant commenced commercial power operation on 6 September 1979. Until now it has generated over 305 billion kWh of electric energy (benchmark: the Federal Republic of Germany consumed approx. 538 billion kWh of electricity in 2010). Licensee of nuclear power plant "Unterweser" is E.ON Kernkraft GmbH. The probabilistic safety analysis (PSA) so far performed for the periodic safety review (PSR) of KKU pursuant to BMU guidelines yields Level 1 PSA results (core damage frequency, CDF) clearly below the CDF target specified by IAEA for operational plants (< 1*10-4/a). Actual results are as low as those recommended for evolutionary power reactors (1*10-5/a); they also show how well-balanced the systems and plant engineering of KKU is. The preliminary results of the ongoing Level 2 PSA (calculation of released activity and the associated frequency) lead to the conclusion, that the frequency of major releases of fission products from KKU is also very low; the frequency of major releases can be pre-estimated to be less than 1*10-8/a. Taken together, Level 1 and 2 PSA results show that KKU has a well-balanced safety concept and operates at a very high level of safety.

Earthquake For the site an earthquake with an intensity of 5.5 EMS/MSK at a probability of exceedance of < 1*10-5 /a needs to be considered. With reference to KTA 2201.1, a A1-54

ground response spectrum including the associated rigid body accelerations (peak ground acceleration) has been determined for the design intensity of 6.0 EMS/MSK (see Fig. 1).

horizontal acceleration (m/s²)

10

0,77

1

0,77 0,42

0,42

0,07

0,1

0,01 0,1

1

10

100

frequency (Hz)

Figure 1

design spectrum (horizontal component)

A seismological survey provided the basis of determining the required seismological engineering parameters which were then examined by a seismology expert acting on behalf of the nuclear supervisory authority. In addition, many more verifications were made. All verifications showed that the applied ground response spectrum is correct. The design of components and structures with regard to seismic effects is a must for accomplishing the following protection goals: a) control of reactivity, b) cooling of fuel elements, c) confinement of radioactive materials, and d) limitation of radiation exposure. Thus, all safety-related buildings and components are designed to withstand the design earthquake. Therefore no damages to safety-related structures or components are expected in case of design earthquake. In the event of an earthquake, external power supply is postulated not to be available. Emergency power supply is therefore designed for the design earthquake and installed with a redundant back-up. Apart from the four emergency diesel generators /ordinary

A1-55

back-up AC power source – NSDA1), there are another two emergency condition diesel units (diverse AC power source – NSDA2). Due to the low intensity, a design earthquake can be assumed not to destroy the infrastructure. Employees and equipment will therefore have unhindered and undelayed access to the site. The potential maximum physical seismic magnitude is expected not to seriously damage the core or the nuclear fuel. The nuclear power plant is designed for a probability of earthquake events of ≤1*10-5 /a and a probability of flooding events of ≤ 1*10-4 /a pursuant to KTA 2207. Moreover, plant design includes considerable margins and provides for the potentially combined effects of earthquake and flood. Earthquake PSAs prepared for German nuclear power plants similar to KKU show that damaging forces and mechanisms will not substantially increase the core damage frequency even if the earthquake intensity is greater than that of the design earthquake. The high level of robustness and high standards of design also ensure that measures were taken as early as at the planning and building stages as well as by later retrofitting during power plant operation. This is further ensured by the plant being designed to withstand other external effects such as an aircraft crash or an explosion shock wave. There are thus no plans for taking further measures.

Flooding The plant is located in the tidal reach in the estuary of the Weser river. Two barriers protect it against high tides and their effects. The first barrier is the state-controlled dyke the second is the so-called plant safety limit, that is to say, the altitude up to which the safety-relevant system components are protected against tidal flood water. Dyke design is based on the computed design flood. The criterion of determining the plant safety limit is the conservative assumption that the dyke will fail to withstand a design flood which will therefore flood the plant premises. A design flood level of 7.06 m was determined based on past storm tides and a probability of occurrence of < 10-4/a according to KTA 2207. In the case of coastal locations like KKU, the design flood is determined with direct reference to historical storm tide levels. Dyke design not only considers this level but also the oncoming waves. The dyke was verified to be stable and safe under a design flood. A worst case scenario assumed that a design flood would cause a postulated dyke failure in the vicinity of the plant site. In this case, the on-site water level would rise to 3.14 m above MSL, i.e. 0.86 m below the plant safety limit. A surveyor referenced the official data to determine the specific local design flood level. Further investigations were performed to check the design. All investigations revealed that the design criteria remain to be valid. As far as could be shown, high tides at the design flood scale have never occurred at the plant location. With regard to system engineering, high tide safety as part of the plant design considered a failure of the main heat sink and a stand-by power supply event. Access to the plant will not be impacted by high tides. In case the dyke fails under a high tide, vessels

A1-56

may have to be provided to gain access. There are some vessels on the site. If need be, the facilities of the "Wesermarsch" district fire brigade are available. A significant design margin is provided by the large difference between the anticipated design water level and the water level that the structural design is based upon. Furthermore, there is sufficient early warning time to take measures appropriate to safeguard against a flood in excess of the design water level. Plant design is thus robust enough to make the plant reliably survive a flood. In itself, the protection against flooding provided by the high level of robustness and the strict standards of plant design makes all major safety-related components intrinsically safe. The chosen location, the concept of protecting the plant against flooding, and the available design margins minimise the probability of consequential events of a flood beyond design flood ratings in excess of the events considered when assessing the design water level to be realistically anticipated.

Extreme weather The design considers the following weather loads: 

extremely strong winds,



extremely high and low ambient temperatures (water and air),



extreme rainfall,



biological effects (polluting load),



lightning stroke,



low tide.

Conventional construction standards as well as nuclear regulations were considered. Furthermore, the design assumed much greater loads to be safeguarded against, including external effects such as earthquakes, high tides/floods, explosion shock waves or aircraft crashes. The design requirements for the safety-related buildings exceeded the extreme weather protection requirements by far. The design also takes into account the regulations provided for combinations of extreme weather conditions, specifically with regard to their causal interdependencies. Metrological instruments are monitoring the ambient conditions permanently. Automatic and administrative measures will be taken before the values attain the set points. In general, the positive results of extensive considerations of extreme weather conditions including their potential combination conclusively show that the plant is safe to reliably survive extreme weather events. Due to the available design margins, no other measures are required to increase plant safety.

A1-57

Loss of power supply KKU has a tiered concept of automatically ensuring AC power supply to ensure operational and safety-related components, consisting of the main grid connection, the stand-by grid connection, the emergency power supply (ordinary back-up AC power source - NSDA1), and the emergency condition power supply (diverse AC power source – NSDA2). The different stages of the AC power supply allow to cover different failures of the AC grid. Supplementary an additional auxiliary diesel and an independent third grid connection are available. Emergency power supply will be started if the main and stand-by grid connection is not available and a load rejection to auxiliary power is not successful. In that case, the emergency power supply is automatically activated to supply power to all safety-related components required for event control and for sustaining the plant's safety objectives. Emergency power supply is marked by its four redundant trains in line with the plant's redundancy concept. In case of a failure of all four emergency power diesels, the diverse emergency condition power diesels (twice redundant) will be started automatically. The emergency condition power supply system is able to back up the vital functions of the decay heat removal facilities. Pursuant to the applicable regulations, the technical equipment and the fuel at hand ensure that both emergency power supply and emergency condition power supply by the diesel generator units is assured to last for >72 hours. Providing greater amounts of fuel allows this time to be extended. In the event of an assumed total failure of the installed AC power and emergency power/emergency condition power supplies, the battery-buffered redundant supply trains will supply power to the required I&C and necessary process components for at least 2 hours. At this stage, the available severe accident procedures would initiate process orientated emergency actions to provide decay heat removal and to prevent core damage. A parallel means is to connect the third grid connection (buried) to try and restore the AC power supply. An additional auxiliary diesel is permanently installed on the KKU side which is used as a back up AC power source in such a case (Independent from Weser-river cooling.) All of the above measures are preventive, that is to say, they are intended to retain the integrity of fuel elements, the primary cooling circuit and decay heat removal. In case a preventive measure is unavailable or fails, there are mitigative measures aimed at further controlling any potential damage. Considering all of the above measures arranged to ensure continuous operation on emergency power, to provide and maintain additional equipment in cases of an assumed failure of all emergency power supplies, to take severe accident measures for uninterrupted decay heat removal, and to provide full mobility and transportation under serious failure modes, no other plant states can be identified that would require further and additional remedies. Some thought is given to the concept by using additional mobile diesel generators for recharging the batteries. In view of the amended Atomic Energy Act and dependent on

A1-58

the plants status, all concepts and constraint assumptions are currently being reviewed.

Loss of the primary heat sink An assumed failure of the on-site preflooder or the pump building would affect both the main water system and the relevant safety installations, i.e. the nuclear service water system and the emergency service water system. This would cause a non-availability of the essential (emergency diesel, emergency condition pumps) and nuclear component cooling system and a shortened residual heat removal chain. A failure of the essential cooling water system can be made up for by the redundant emergency condition system comprised of each an emergency condition power system and an emergency condition feed water system. Moreover, in the event of the loss of the service water system, electrical energy can be supplied by an air-cooled auxiliary diesel generator in order to cool the core (residual heat removal chain, steam generator feed). The application for adding a mobile air-cooled emergency diesel generator has been recently approved. However, it has not been installed as yet. If the essential service water system is assumed to also fail, several emergency measures are available to ensure both cooling and integrity of the fuel elements in the fuel pool and restoring a residual heat removal chain for dissipating the heat from the primary circuit without need for the steam generators. Coolant could either be fed directly to the fuel pool or a pool cooler be cooled by other means. Water would be provided either from the intended systems or as fire-fighting water, drinking water or water from fire water ponds or the river. Another option is to dissipate the heat from the primary circuit by taking the emergency measures in particular secondary or, respectively, primary feed and bleed by use of the steam generators. Measures in shut-down mode depend on the state of the plant and may be equivalent to full power operation mode measures or those taken to cool the fuel pool. In a situation where the heat from the fuel pool or the primary circuit can be dissipated neither via the available residual heat removal chain nor via the steam generators or by taking emergency measures using a pool cooler, a conceivable long-term measure could be to use the containment venting system. Time constraints on using alternative heat sinks depend on the amount of fuel and coolant at hand. The time slot can be extended to any length by appropriate emergency measures. At first, however, external measures for long-term heat sink operation are not required. The above statement shows that the plant features a wide variety of measures aimed at a sustained dissipation of post decay heat. Regardless of the above, there is another measure aimed at improving plant safety considering external supply to the pipes of the nuclear service water system. This has been approved by the corresponding authority.

A1-59

Loss of the primary heat sink following station blackout Following a station blackout, neither the station service power supply nor the emergency diesel generators will be available. However, KKU can fall back on the emergency condition dieselsgenerators and the third grid connection. Coolant supply can thus be ensured by taking the measures discussed in section 0.8. In case also the emergency condition diesel generators and the third grid connection are assumed to have also failed, the emergency measures of choice are secondary and primary feed and bleed. When the pressure in the steam generators has been relieved, the secondary feed and bleedmeasure may happen using the water inventory of the feed-water pipes, the feedwater tank orby taking a mobile fire fighting pump of the demineralised water basins or tanks, respectively. The demineralised water at hand is enough to sustain operation for about 24 hours. Assuming bleeding is successful while feeding is not, about 90 minutes will be gained before the next measure primary feed and bleed is taken. The latter will provide another 50minutes buffer time that will suffice to activate the third grid connection or connecting the station service power busses. Depending on external measures both availability of the third grid connection and operation of mobile pumps for longer periods of time as part of secondary and primary feed and bleed measures depend on the availability of fuel. Generally speaking, the procurement, delivery and connection of fuels are a routine process sufficiently detailed in the Operating Manual (BHB) and the implementation instructions contained in the Plant Organisation Manual (BOHB). To conclude, the variety of measures in place to ensure decay heat removal shows that the plant will be safe even following a station blackout. Nevertheless, some further measures have been applied for aimed at using a fire water pump to sustain lowpressure feed to the emergency feed power system or the emergency condition diesel system even under harsh ambient conditions. This would provide two more options of heat dissipation in case secondary feed and bleed fails.

Managing severe accidents The policy of continuously improving the nuclear power plant KKU with regard to scientific and technological advancements has led to establishing a plurality of measures aimed at preventing severe accidents or, in the highly improbable case of such accidents occurring, to prevent or at least considerably constrain their effects on the plant and its environment. In the case of beyond design basis accidents, the operator has planned many organisational and technical measures and precautions to have the required employees and technical equipment available on-site. Minimum staffing of the shift personnel ensures that all severe accident measures can be taken at any time, even in cases of beyond design basis accidents. Plant radio receivers and telephones are available for alerting the persons required to make up the emergency organisation team. Personnel bottlenecks can be made up for by requesting personnel working at other E.ON locations.

A1-60

Periodic accident management drills ensure that everything will work in a case of a severe accident. Upon notification received from the affected power plant, E.ON Headquarters in Hanover will alert the Corporate accident management team who will be responsible for communicating with the press and for making corporate decisions. Every plant has the equipment on site to execute the severe accident procedures. When further equipment is necessary, this will concern commercially available components as used by fire brigades and emergency services. This will help to almost entirely avoid severe accidents events or, should they occur, to significantly slow down the process of their effects which will provides extra time for the mobilisation of personnel and technical equipment to the site. Procurement of process and auxiliary materials is regulated within the implementation instructions such that there is always a minimum stock at hand. Important spares are kept on-site or can be got hold of from the manufacturers by means of contractually secured stand-by services. Following radiological relevant releases, the severe accident management team will have the Radiation Protection Team perform the measurements in the plant's vicinity as specified in the surveillance concept; the team will also advise the competent emergency management authority as to whether the public should be alerted. Various means of communication are available for on-site and off-site communication, including wired telephones, radios working at different frequency ranges, plant radio receivers, and satellite phones. A blackout-proof telephone line allows connection to the grid control centre for several hours. Sufficient Equipment is available on-site the plant to restore access to buildings blocked by external effects. External fire brigades, the technical emergency service or the national nuclear emergency group (www.khgmbh.de) with separate support contracts, are also available. When an accident with radiological relevant activity releases, occurrs a internal handling concept applies, i.e. the radiation rotection unit will measure actual activity concentrations in occupied areas and define the appropriate measures. The control room can be connected to a circulating air filter which, despite the radioactivity, will allow the staff to stay and work in the room without respiratory equipment. When radiation levels prohibit any further use of the control room, the measures required to shut down the plant and to cool the fuel pool can still be taken via the emergency control room (partly bunkered) which is located in spatial separation from the main control room in the safeguardedbuilding. Explosive gases are automatically detected and ventilation of the central control & switchgear building and of the emergency control room building can be manually set to recirculation mode. In this case, the severe accident organisation will work from the back-up emergency support centre located on-site a power station in Huntdorf, approximately 20 km away from the plant. In the German plants, safety level 4 activities are oriented to safety objectives, usually predefined by initiation criteria. The requirements for execution are described in the

A1-61

Emergency Operational Manual. (Explanation for the English version: Additionally to the Operational Manual there is the fully established Emergency Manual, which is continuously improved by the operator and supervised by the authority. In contrast to the international approach this Emergency Manual describes only severe accident measures at the safety level 4 and covers therefore preventive and mitigative measures.) Basically it can be assumed that facilities in flood-proof and earthquake-resistant buildings are on demand available. Due to the geographical plant positions, high tides and floods can be assumed not to occur suddenly, leaving enough time to build further barriers with on-site available equipment. It will be distinct between the loss of onside power and the emergency diesel generators are available. The I & C design complies with the rules issued by the GermanNuclear Safety Standards Commission (KTA) for emergency I & C. These rules describe requirements which measuring values have to be distributed to the control room displays Further the rules required the physical exposure of the I & C design. Furthermore, all relevant I & C devices are battery-buffered and are available for the specified time, in cases of complete loss of power. In addition, KKU has installed extra systems usable during beyond design basic accidents. Examples of such systems are the radioactivity monitoring of the containment venting system and the containment sampling system. The emergency procedures are protection goal oriented. Measures to be taken after core damage scenarios have to cover a wide range of potential events. In September 2010, EKK has prepared and ordered a SAMG concept (Severe Accident Management Guidelines) for the EKK plants. According documents are under compilation or will be compiled by AREVA

Severe accident measures for core cooling, for assuring containment integrity, and for limitation of radioactive releases into the environment The measures described in the severe accident guidelines are aimed to prevent core damage and are dedicated to the safety level 4. They are associated with the plant's specific safety objectives. First measures are dedicated to increase the coolant inventory as well as the restoration of core cooling in recirculation mode. Where the primary circuit is exposed to high pressure following core cooling failure, secondary and primary-side bleed & feed measures will be taken to lower the pressure and temperature in the primary circuit and to allow water to be fed by passive systems or to ensure feeding through low-pressure injection systems. Whereas, according to the severe accident guidelines, some severe accident measures will be taken at the same time, there is a priority list specifying which measure must be taken when the specified initiation criteria are met. Secondary-side bleed & feed measures by means of a mobile fire fighting pump can go on without time constraints and can be taken even if the station AC-power supply and the battery system have failed; the same applies to the filtered venting of the reactor containment.

A1-62

Depending on the plant status, the amount of damage etc., the severe accident organisation will decide whether previously failed systems will be tried to be restored. The severe accident guidelines also describe procedures for restoring the AC-power supply. In addition to the four emergency diesel generators, the plant has two emergency condition power units. The emergency control room is housed in the safeguarded building. The above mentioned severe accident measures can still be taken when the core is damaged. They are capable of terminating the process of core degradation or at least of considerably increasing the grace periods available until further measures need to be taken. If, in case of a meltdown, the reactor pressure vessel is assumed to have failed, the melt will come into contact with concrete. For many accident progression scenarios a coolable configuration will be established. Therefore the molten corium concrete interaction can be avoided or stopped. Investigations with the consequences of a penetration of the concrete of the reactor building basement have shown that, due to delay times and dilutions, the release of fission products can be decreased in a sustainable manner. In cases of severe core damages, hydrogen will be generated due to the chemical reaction between the fuel rod cladding material and the coolant. Additionally gases will be generated during a melt concrete interaction. Therefore, systems for measuring hydrogen concentrations and HVAC-fans exist to avoid inadmissible hydrogen concentrations in the containment atmosphere. Furthermore a system for H2 recombination based on autocatalytic recombiners is installed throughout the containment that will recombine the H2 and turn it into water. These are passive systems working without external energy or auxiliary systems. Any hydrogen leaking from the containment towards the annular space in the reactor building is extracted by the annulus exhaust. Via periodic testing the containment's leakage rate is checked repeatedly. The leakage rate must be below the specified limits. In case of containment pressurization due to evaporation processes and/or RPV damages the containment pressure can be limited and decreased by operating the containment pressure suppression system and a filtered venting of the containment can be performed. Before that, the accident-proof sampling system can be used to evaluate the composition of nuclides in the containment and to estimate the activity releases during the venting process. Activity releases are reduced by the installed iodine and aerosol filters. The instruments in the vent stack measure how much activity is being released. The venting system can be restarted as often as necessary. Usability of the venting system with regard to its radiological conditions in a meltdown situation has been shown by an accessibility study. Due to the high robustness of the containment and the foreseen protection measurements (filtered venting and passive autocatalytic recombiners) a containment failure is physically unreasonable. If a containment failure is assumed anyhow, any releases will be spread inside the annular space between containment and the reactor building. If the annular exhaust system is active, any air-borne activity will be filtered and released

A1-63

via the vent stack. An additional retention can be realized with the activation of the demand filter system. The results of the probabilistic safety analysis of nuclear power plant "KKU” have shown that, due to its robust and conservative design, the containment leak-tightness is not expected to fail until exposed to twice its design pressure. In order to ensure sustained subcriticality following a SCRAM in an accident event, the automatically initiated systems will feed borated water to the primary circuit. Boron injections are rated such that the reactor will remain permanently subcritical after the control elements have shut down the reactor. Also the negative temperature coefficients are taken into account by design. Control systems prevent the injection of deionate (demineralised water). Borated water is also used to cool the fuel elements in the spent fuel pool. Strictly speaking and owing to the geometry of the racks and the use of borated steel, the boron in the coolant is not necessary to ensure subcriticality in normal operation. In normal operating conditions, the heads of the fuel elements are covered by several meters of water. If boiling should occur in the spent fuel pool, the water level will decrease very slowly causing the water level to drop and boric acid concentrations to increase. The severe accident procedures described are able to restore the water in the pool to a more normal level by adding demineralised water or coolant from the flooding tanks. These procedures are also suitable means of preventing or reducing the effects of previous core damage. The fuel pool is located inside the containment which is designed to withstand high pressures, whereas the reactor building is able to resist external events.

A1-64

Annex 1

7

KWG / Grohnde

Brief descriptionof the nuclear power plant KWG The nuclear power plant "Grohnde" is a single block power station and is located at left shore of the Weser river at river kilometre 124,5 (circ. 10km upstream of city Hameln) in the borough of Emmerthal, district of Hameln-Pyrmont (Federal State of lower Saxony). The nuclear power plant is a before KONVOI-series (Vor-Konvoi) pressurised water reactor (PWR) manufactured by KWU (Kraftwerk Union, today AREVA NP) featuring a reactor core of 193 fuel elements. It is a 4-loop plant comprising four steam generators, four lines of safety systems kept entirely separate (i.e. there are four trains for emergency and residual heat removal, four emergency diesel generators, etc.), and four emergency feed power units (et al.for controlling external impacts). Thermal reactor capacity amounts to 3900 MW that is fed to one high-pressure and three low-pressure turbines to generate a gross electric power output of 1430 MW (net 1360 MW). The plant is cooled by the river Weser or via two natural draught cooling towers. The reactor building houses all major safety-related components and is made of reinforced concrete (>> 1 m thick). Inside the reactor building, there is the full-pressure steel containment with walls several centimetres thick encompassing the primary circuit (consisting of the reactor pressure vessel, the pipes connected to it, the primary coolant pumps, etc.) with the steam generators and the (spent) fuel pool. The reactor produced its first self-sustaining chain reaction (first criticality) on 1 September 1984 and the nuclear power plant commenced commercial power operation on 1 February 1985. By 30 June 2011, it has generated about 300 billion kWh of electric energy (benchmark: the Federal Republic of Germany consumed approx. 538 billion kWh of electricity in 2010). Licensees of nuclear power plant "Grohnde" are E.ON Kernkraft GmbH, the Gemeinschaftskernkraftwerk Grohnde GmbH & Co. oHG. and the Gemeinschaftskernkraftwerk Weser GmbH. The probabilistic safety analysis (PSA) so far performed for the periodic safety review (PSR) of KWG pursuant to BMU guidelines yields Level 1 PSA results (core damage frequency, CDF) clearly below the CDF target specified by IAEA for operational plants (< 1*10-4/a). Actual results are as low as those recommended for evolutionary power reactors (1*10-5/a); they also show how well-balanced the systems and plant engineering of KWG is. Level 2 PSA results (calculation of released activity and the associated frequency) show the very low frequency of major releases of fission products from KWG; the frequency of major releases is less than 1*10-8/a. Taken together, Level 1 and 2 PSA results show that KWG has a well-balanced safety concept and operates at a very high level of safety.

Earthquake For the site an earthquake with an intensity of 6.5 EMS/MSK at a probability of exceedance of < 1*10-5 /a is considered as design intensity. With reference to KTA A1-65

2201.1, a ground response spectrum including the associated rigid body accelerations (peak ground acceleration) has been determined (see Fig. 1).

horizontal acceleration (m/s²)

10

1,60

1,60 0,75

1

0,75

0,07

0,1

0,01 0,1

1

10

100

frequency (Hz)

Fig. 1

design spectrum (horizontal component)

A seismological survey provided the basis of determining the required seismological engineering parameters which were then examined by a seismology expert acting on behalf of the nuclear supervisory authority. In addition, many more verifications were made. All verifications showed that the applied ground response spectrum is correct. The design of components and structures with regard to seismic effects is a must for accomplishing the following protection goals: a) control of reactivity, b) cooling of fuel elements, c) confinement of radioactive materials, and d) limitation of radiation exposure. Thus, all safety-related buildings and components are designed to withstand the design earthquake. Therefore no damages to safety-related structures or components are expected in case of design earthquake. In the event of an earthquake, external power supply is postulated not to be available. Emergency power supply is therefore designed for the design earthquake and installed with a redundant back-up (8x redundant). Apart from the four emergency diesel generators /ordinary back-up AC power source – NSDA1), there are another four emergency feed power diesels (diverse AC power source – NSDA2). A1-66

Due to the low intensity, a design earthquake can be assumed not to destroy the infrastructure. Employees and equipment will therefore have unhindered and undelayed access to the site. The potential maximum physical seismic magnitude is expected not to seriously damage the core or the nuclear fuel. The nuclear power plant is designed for a probability of earthquake events of ≤1*10-5 /a and a probability of flooding events of ≤ 1*10-4 /a pursuant to KTA 2207. Moreover, plant design includes considerable margins and provides for the potentially combined effects of earthquake and flood. Earthquake PSAs prepared for German nuclear power plants similar to KWG show that damaging forces and mechanisms will not substantially increase the core damage frequency even if the earthquake intensity is greater than that of the design earthquake. The high level of robustness and high standards of design also ensure that measures were taken as early as at the planning and building stages as well as by later retrofitting during power plant operation. This is further ensured by the plant being designed to withstand other external effects such as an aircraft crash or an explosion shock wave. There are thus no plans for taking further measures.

Flooding Flood control measures were based on a design flood level at a probability of exceedance of 10-4 /a correspondent to KTA 2207. The maximum water level of a once in 10,000 years flood was specified as 73.00 m above MSL (design flood level). With regard to the inland location, the first step was to determine the floodwater discharge options and, at a second step, to apply adequate methods to them to compute the design water levels. In order to derive the probability of various floodwater levels at the Grohnde location, the data filed in Bodenwerder was taken as the reference level which, in a conservative assumption, was raised by 5.25 m above the water level at the Grohnde location. The plant's grade level is at 72.20 m above MSL. The design flood level is 73.00 m above MSL. Plant construction assumed a design water level of 73.60 m above MSL. A surveyor referenced the official data to determine the design flood elevation specific to the location. Further investigations were performed to check the design. All investigations revealed that the design criteria remain to be valid. For the purposes of accident control and ensuring continuation of normal operation under a flood correspondent to the operating manual, the specific buildings are designed to withstand a design flood. Access to and emergency exits from the safety-relevant buildings elevate to at least 73.60 m above MSL, i.e. at least 60 cm above the design flood level. Wall ducts below access levels are sealed against penetrating water and the buildings as such are safeguarded against buoying upwards. Plant site altitude and the structural design of non-safety-related buildings require temporary measures to ensure infrastructural integrity; consequential effects on the safety function can be ruled out. With regard to system engineering, flood safety as part of the

A1-67

plant design considers a loss of external power event which is covered by the emergency power supply. Vessels will be required to access the plant. In itself, the protection against flooding provided by the level of robustness and the standards of plant design provides a considerable margin compared to the design flood level and makes all major safety-related components intrinsically safe. The chosen location, the concept of protecting the plant against flooding, and the available design margins minimise the probability of consequential events of a flood beyond design flood ratings in excess of the events considered when assessing the design water level impact. Plant design meets KTA 2207 assumptions of a once in 10,000 years flood at a water level of 73.00 m above MSL. Plant design including a protection of vital functions (complete protection of both residual heat removal chains and emergency residual heat removal chains) up to a level of 73.60 m above MSL, results in a design margin of 60 cm without any need for additional measures (in the case of a once in 100,000 years flood, the margin is still 10 cm). A significant design margin is provided by the large difference between the anticipated design water level and the water level that the structural design is based upon. Furthermore, there is sufficient early warning time to take measures appropriate to safeguard against a flood in excess of the design water level. Plant design is thus robust enough to make the plant reliably survive a flood.

Extreme weather The design considers the following weather loads: 

extremely strong winds,



extremely high and low ambient temperatures (water and air),



extreme rainfall,



biological effects (polluting load),



lightning stroke,



low tide.

Conventional construction standards as well as nuclear regulations were considered. Furthermore, the design assumed much greater loads to be safeguarded against, including external effects such as earthquakes, floods, explosion shock waves or aircraft crashes. The design requirements for the safety-related buildings exceeded the extreme weather protection requirements by far. The design also takes into account the regulations provided for combinations of extreme weather conditions, specifically with regard to their causal interdependencies. Metrological instruments are monitoring the ambient conditions permanently. Automatic and administrative measures will be taken before the values attain the set limits. In general, the positive results of extensive considerations of extreme weather conditions including their potential combination conclusively show that the plant is safe to reliably survive extreme weather events.

A1-68

Due to the available design margins, no other measures are required to increase plant safety.

Loss of power supply KWG has a tiered concept of automatically ensuring AC supply to operational and safety-related components, consisting of the main grid connection, the stand-by grid connection, the emergency power supply (ordinary back-up AC power source - NSDA1), and the emergency feed power supply (diverse AC power source – NSDA2). The different stages of the AC power supply allow to cover different failures of the AC grid. An additional third grid connection and a ninth mobile diesel are also available. Emergency power supply will be started if the main and stand-by grid connection is not available and a load shed on houseload is not successful. In that case, the emergency power supply is automatically activated to supply power to all safety-related components required for accident control and for sustaining the plant's safety objectives. Emergency power supply is marked by its four redundant trains in line with the plant's redundancy concept. In case of a failure of all four emergency power diesels the emergency feed power diesels will be started automatically in all four trains. The emergency feed power supply system is able to back up the vital functions of the decay heat removal facilities. Pursuant to the applicable regulations, the technical equipment and the fuel at hand ensure that both emergency power supply and emergency feed power supply by the diesel generator units is assured to last for >>72 hours. An extension of the operating time to more than one week can be achieved with equipment and fuel stored on site. With external supply of consumables the operating time can be extended even further. In the event of an assumed total failure of the installed AC power and emergency power/emergency feed power supplies, the battery-buffered redundant supply trains will supply power to the required I&C and necessary process components for at least 2 hours. At this stage, the available emergency procedures would initiate process orientated emergency actions to provide decay heat removal and to prevent core damage. A parallel means is to connect the third grid connection (buried) to try and restore the AC power supply. Alternatively the ninth mobile diesel generator can be operated. All of the above measures are preventive, that is to say, they are intended to retain the integrity of fuel elements, the primary cooling circuit and decay heat removal. In case a preventive measure is unavailable or fails, there are mitigative measures aimed at further controlling any potential damage. Considering all of the above measures arranged to ensure continuous operation on emergency power, to provide and maintain additional equipment in cases of an assumed failure of all emergency power supplies, to take emergency measures for uninterrupted decay heat removal, and to provide full mobility and transportation under serious failure modes, no other plant states can be identified that would require further and additional remedies.

A1-69

Loss of the primary heat sink A loss of the primary heat sink due to an inadmissible blockage of the intake points can be excluded because firstly the small required flow amount of water compared to the building dimensions and the opening cross-sections. In addition are various interconnections of circuitry realized, so that is guaranteed in every case, the auxiliary cooling water supply. In case of a component failure along the emergency diesel powered residual heat removal chain, the heat will be dissipated by enabling the emergency residual heat removal chain. The two chains of the emergency residual heat removal system are powered by the emergency feed power system which is protected against external effects. For the possible loss of cooling water intake, discharge or secured service water supply through an underwater blast wave, appropriate measures in accordance with the instruction manual or emergency manual are provided. At a total failure of the service watersupply with the simultaneous failure of the main cooling water, the heat is discharged down the secondary side via the main steam relief station. First, the start-up and shutdown water supply systems is used, in case of its failure the emergency feed water system is used for supplying water to the steam generators. The emergency measures secondary or primary bleed and feed can be used, if all the above measures fail. For the feeding of the steam generator, mobile pumps can also be used. The necessary additional deionised water can be taken out of the deionised supply system, the drinking water supply system or fire extinguishing system. Measures in non-power mode depend on the state of the plant and may be equivalent to power mode measures or those taken to cool the storage pond. Time constraints on using alternative heat sinks depend on the amount of fuel and coolant at hand. Assuming that appropriate contingency measures are taken, the time slot can be extended to any length. At first, however, external measures for long-term heat sink operation are not required. The above statement shows that the plant features a wide variety of measures aimed at a sustained dissipation of post decay power. Therefore, no further action is requested.

Loss of the primary heat sink following station blackout Following a station blackout, neither the station service power supply nor the emergency diesel generators (NSDA1) will be available. However, KWG still has the fall-back solution of the emergency feed power units (NSDA2), the third grid connection and a mobile diesel generator. Coolant supply can thus be ensured by taking the measures discussed in section 0.8. If an event occurs during power operation, the emergency feed power system will therefore be able to shut down the plant to “subcritical hot” and provide independent decay heat removal.

A1-70

In case the emergency diesel feed power units and the third grid connection are not credited, the emergency measures of choice are secondary and primary bleed and feed or alternatively the operation of the mobile diesel. Once the pressure in the steam generators has been relieved, the steam generators can be supplied using the water inventory of the feedwater lines, the feedwater tank or by using a fire fighting pump. In case the pressure of the steam generators can be successfully relieved (but there is no feeding), significant time is gained before the next measure (primary bleed and feed) has to be taken. By means of the accumulator, the latter will provide some more buffer time that will suffice to activate the third mains supply or adding the station service power circuits. In parallel, the mobile diesel generator will be put into operation. Operation of the mobile diesel generator and the mobile pumps for a longer period of time as part of secondary bleed and feed is ensured by the availability of appropriate fuel. Generally speaking, the procurement, delivery and connection of fuels are a routine process sufficiently detailed in the Operating Manual (BHB) and the implementation instructions contained in the Plant Organisation Manual (BOHB). To conclude, the variety of measures in place to ensure decay heat removal suggest that the plant will be safe even following a station blackout. A significant difference compared internationally is given by the emergency feed power system (4 trains), which allows a control of this event within the design basis (no severe accident measures).

Managing severe accidents The policy of continuously improving the nuclear power plant KWG with regard to scientific and technological advancements has led to establishing a plurality of measures aimed at preventing severe accidents or, in the highly improbable case of such accidents occurring, to prevent or at least considerably constrain their effects on the plant and its environment. In the case of beyond design basis accidents, the operator has planned many organisational and technical measures and precautions to have the required employees and technical equipment available on-site. Minimum staffing of the shift personnel ensures that all emergency measures can be taken at any time, even in cases of beyond design basis accidents. An automatic alerting system (FACT24)by phone is available for the persons required to make up the emergency organisation team. In case of its failure alerting can be done using motorised couriers. Personnel bottlenecks can be made up for by requesting personnel working at other E.ON locations. Periodic emergency drills ensure that everything will work in a case of an emergency. Upon notification received from the affected power plant, E.ON Headquarters in Hanover will alert the Corporate Emergency organisation who will be responsible for communicating with the press and for making corporate decisions. Every plant has the equipment on site to execute the emergency procedures. When further equipment is necessary, this will concern commercially available components as used by fire brigades and emergency services. This will help to almost entirely avoid severe accidents events or, should they occur, to significantly slow down the process of

A1-71

their effects which will provides extra time for the mobilisation of personnel and technical equipment to the site. Procurement of process and auxiliary materials is regulated within the implementation instructions such that there is always a minimum stock at hand. Important spares are kept on-site or can be got hold of from the manufacturers by means of contractually secured stand-by services. Following radiological relevant releases, the emergency organisation will have the radiation protection team perform the measurements in the plant's vicinity as specified in the surveillance concept; the team will also advise the competent emergency protection authority as to whether the public should be alerted. Various means of communication are available for on-site and off-site communication, including wired telephones, radios working at different frequency ranges, plant radio receivers, and satellite phones. A blackout-proof telephone line allows connection to the grid control centre for several hours. Sufficient Equipment is available on-site the plant to restore access to buildings blocked by external effects. External fire brigades, the technical emergency service or the national nuclear emergency group (www.khgmbh.de) with separate support contracts, are also available. When an accident with imputed activity release occurs, an internal handling concept applies, i.e. the radiation protection unit will measure actual activity concentrations in occupied areas and define the appropriate measures. The control room can be connected to a circulating air filter which, despite the radioactivity, will allow the staff to stay and work in the room without respiratory equipment. When radiation levels prohibit any further use of the control room, the measures required to shut down the plant and to cool the fuel pool can still be taken via the emergency control room located inside the bunkered emergency feed building at adequate distance from the main control room. In this case, the emergency organisation will work from the back-up emergency support centre located on-site a workshop in Hameln approximately 10 km away from the plant. In KWG safety level 4 activities are protection goal oriented, usually predefined by initiation criteria. The requirements for execution are described in the Emergency Manual, as well as grace periods for different emergency measures as primary or secondary feed and bleed. (Explanation for the English version: additionally to the Operational Manual there is the fully established Emergency Manual, which is continuously improved by the operator and supervised by the authority. In contrast to the international approach this Emergency Manual describes only severe accident measures at the safety level 4 and covers therefore preventive and mitigative measures.) Basically the facilities in flood-proof and earthquake-resistant buildings are on demand available. Due to the geographical plant position, floods can be assumed not to occur suddenly, leaving enough time to build further barriers with on-site available equipment. It will be distinct between the loss of onside power and the emergency diesel generators are available. The I & C design complies with the rules issued by the GermanNuclear Safety Standards Commission (KTA) for emergency I & C. These rules describe requirements which measuring values have to be distributed to the control room displays Further the rules A1-72

required the physical exposure of the I & C design. Furthermore, all relevant I & C devices are battery-buffered and are available for the specified time, in cases of complete loss of power. In addition, KWG has installed extra systems usable during beyond design basis accidents. Examples of such systems are the radioactivity monitoring of the containment venting system and the containment sampling system. The emergency procedures are protection goal oriented, not event oriented. Measures to be taken after core damage scenarios have to cover a wide range of potential events. In September 2010, EKK and AREVA preparing a SAMG concept (Severe Accident Management Guidelines) for the EKK plants. According documents will be compiled.

Severe accidents measures for core cooling, for assuring containment integrity, and for limitation of radioactive releases into the environment The measures described in the Emergency Manual are aimed to prevent core damage and are dedicated to the safety level 4. They are associated with the plant's specific protection goals. First measures are dedicated to increase the coolant inventory as well as the restoration of core cooling in recirculation mode. Where the primary circuit is exposed to high pressure following core cooling failure, secondary and primary bleed & feed measures will be taken to lower the pressure and temperature in the primary circuit and to allow water to be fed by passive systems or to ensure feeding through lowpressure injection systems. Secondary-side bleed & feed measures by means of a mobile fire fighting pump can go on without time constraints and can be taken even if the station AC-power supply and the battery system have failed; the same applies to the filtered venting of the reactor containment. Depending on the plant status, the amount of damage etc., the emergency organisation will decide whether previously failed systems will be tried to be restored. The Emergency Manual also describes procedures for restoring the AC-power supply. In addition to the four emergency diesel generators, the plant has four emergency feed power units located in the emergency feed building which is protected against external impacts. The emergency control room is also housed in this building. The above mentioned emergency measures can still be taken when the core is damaged. They are capable of terminating the process of core degradation. If, in case of a meltdown, the reactor pressure vessel is assumed to have failed, the melt will come into contact with concrete. For many accident progression scenarios a coolable configuration will be established. Therefore the molten corium concrete interaction can be avoided or stopped. Investigations with the consequences of a penetration of the concrete of the reactor building basement have shown that, due to delay times and dilutions, the release of fission products can be decreased in a sustainable manner.

A1-73

In cases of severe core damages, hydrogen will be generated due to the chemical reaction between the fuel rod cladding material and the coolant. Additionally gases will be generated during a melt concrete interaction. Therefore, systems for measuring hydrogen concentrations and HVAC-fans exist to avoid inadmissible hydrogen concentrations in the containment atmosphere. Furthermore a system for hydrogen recombination based on autocatalytic recombiners is installed throughout the containment that will recombine the H2 and turn it into water. These are passive systems working without external energy or auxiliary systems. Any hydrogen leaking from the containment towards the annular space in the reactor building is extracted by the annulus exhaust. Via periodic testing the containment's leakage rate is checked repeatedly. The leakage rate must be below the specified limits. In case of containment pressurization due to evaporation processes and/or RPV damages the containment pressure can be limited and decreased by operating the containment pressure suppression system and a filtered venting of the containment can be performed. Before that, the accident-proof sampling system can be used to evaluate the composition of nuclides in the containment and to estimate the activity releases during the venting process. Activity releases are reduced by the installed iodine and aerosol filters (removal efficiency for iodine and aerosol is at least 99.9 %). The instruments in the vent stack measure how much activity is being released. The venting system can be restarted as often as necessary. Usability of the venting system with regard to its radiological conditions in a meltdown situation has been shown by an accessibility study. Due to the high robustness of the containment and the foreseen protection measurements (filtered venting and passive autocatalytic recombiners) a containment failure is physically unreasonable. If a containment failure is assumed anyhow, any releases will be spread inside the annular space between containment and the reactor building. With the annular exhaust system any air-borne activity will be filtered and released via the vent stack. An additional retention can be realized with the activation of the demand filter system. The results of the probabilistic safety analysis of nuclear power plant "KWG” have shown that, due to its robust and conservative design, the containment shell is not expected to loose its leak tightness until exposed to twice its design pressure. This is far beyond the initiating conditions for venting. In order to ensure sustained subcriticality following a SCRAM in an accident event, the automatically initiated systems will feed borated water to the primary circuit. Boron injections are rated such that the reactor will remain permanently subcritical after the control elements have shut down the reactor. Also the negative temperature coefficients are taken into account by design. Control systems prevent the injection of deionate (demineralised water). Borated water is also used to cool the fuel elements in the spent fuel pool. Strictly speaking and owing to the geometry of the racks and the use of borated steel, the boron in the coolant is not necessary to ensure subcriticality in normal operation. In normal operating conditions, the heads of the fuel elements are covered by several meters of water. If boiling should occur in the spent fuel pool, the water level will decrease very slowly causing the water level to drop and boric acid concentrations to increase. The A1-74

emergency procedures described are able to restore the water in the pool to a more normal level by adding demineralised water or coolant from the flooding tanks. These procedures are also suitable means of preventing or reducing the effects of previous core damage. The fuel pool is located inside the containment which is designed to withstand high pressures, whereas the reactor building is able to resist external impacts.

A1-75

Annex 1

8

KWO / Obrigheim

Outline description of the nuclear power plant Plant description At the Obrigheim site, EnKK operates a wet storage facility for spent fuel assemblies on the site of the definitively decommissioned nuclear power plant Obrigheim (KWO). The spent fuel storage facility — hereinafter also referred to as the plant — consists primarily of a spent fuel pool with internals and of cooling, supply and auxiliary systems. The spent fuel pool is inside the emergency standby building. A total of 342 spent fuel assemblies are still in storage in this facility. On account of the long decay time since they were used in the KWO reactor (more than six years since the nuclear power plant ceased power operation) the spent fuel assemblies now produce only slight decay heat (totalling less than 165 kW). The emergency standby building is a solid, thick-walled reinforced-concrete structure. The spent fuel storage facility is highly protected against external events. The emergency standby building and the spent fuel pool are in particular designed against design basis earthquake, design basis flooding, aircraft crash, explosion blast wave and extreme weather conditions. Located inside the specially protected part of the emergency standby building, the spent fuel pool is an indoor, independent, solid reinforced-concrete pool structure. The fuel assemblies are stored in spent fuel racks. On account of the high-quality structural design and build of the spent fuel pool and the enclosing emergency standby building in combination with what is now only slight decay heat from the spent fuel assemblies and the resultant very long grace periods for preparation and implementation of measures, only passive functions for maintenance of the safe, secure condition of the spent fuel storage facility are to be considered as safety functions. Passive safety functions of the spent fuel storage facility in the emergency standby building are the integrity of the spent fuel storage facility, the safety barrier for activity retention, and maintenance of sub-criticality. Consequently, active functions of the systems of the spent fuel pool for heat removal and for power supply are designated important operational and auxiliary functions, which are nonetheless of high-grade systems engineering design. Heat removal from the spent fuel pool is by two mutually independent cooling chains. The cooling chains — each consisting of pool cooling system, emergency closed cooling water system and emergency auxiliary service water system with cell coolers — are of emergency-power-backup, two-leg-redundancy and spatially segregated design. Heat removal is via cell coolers to ambient air. There is no dependency on river water conditions (high water level, low water level, foreign-matter freighting).

A1-76

At a pool water temperature of 60 °C, each cooling leg can remove approximately 3.2 MW of heat. On account of what is now no more than slight decay heat of less than 0.165 MW to be removed, there are very high margins with regard to the heat-handling design of the cooling chains. With the exception of the cell coolers and those parts of the emergency auxiliary service water system that run underground, all components for heat removal are installed inside the emergency standby building. The KWO plant has an external 110 kV main-grid power supply and an external 20 kV off-site power supply connection for the auxiliary power supply. If the 110 kV grid link fails, the 6 kV auxiliary power supply bus-bars are switched to the 20 kV off-site power supply. Power supply to the emergency standby building and the spent fuel storage facility is via air-cooled 6 kV/0.4 kV transformers installed outdoors and spatially segregated from each other. The two-leg diesel-backed power supply in the emergency standby building consists of two leg-dedicated, spatially segregated diesel units with generators and supplies in particular the consumers intended for heat removal from the spent fuel pool. Other important operational and auxiliary functions for operation of the spent fuel storage facility are in-stalled inside the emergency standby building, including a backup control center for operation and monitoring of the active system functions and a demineralized water supply, for example for injecting makeup water into the spent fuel pool. Culture and guidelines The two Units at the Neckarwestheim site (GKN I and GKN II) and the two at the Philippsburg site (KKP 1 and KKP 2) and the definitively shut down (decommissioned) Obrigheim nuclear power plant (KWO) are operated by the EnBW Kernkraft GmbH (EnKK). The safety of its plants is a top priority for EnKK. The guiding principle is "safety takes priority over economic efficiency". Just like all other German plants, EnKK's nuclear power plants are subject to permanent, independent legal supervision (nuclear supervisory authority). The premise that safety in operation of the plants has topmost priority is also anchored organizationally in EnKK with the management system for nuclear safety, quality assurance, environmental protection and occupational health and safety protection (Integrated Management System), certified in accordance with international standards. This is because for the safety of its nuclear power plants EnKK pursues consequently a comprehensive approach making equal provision for the human, technology and organization factors and their interaction. This approach is aimed to continuous optimization and development in all the above-mentioned fields. On account of the safety philosophy outlined above, the plants are operated on a very high safety level — and this also holds true in international comparison. As a matter of fact, for the four plants GKN I and GKN II and KKP 1 and KKP 2 the current results of the safety reviews required by law that without exception, all 4 plants satisfy all safety requirements. The safety level of the plants is comparable with that required by the In-

A1-77

ternational Atomic Energy Agency (IAEA) for new plants. (Note: Legislation does not require a safety review of KWO, which was decommissioned in 2005). In addition, the International Atomic Energy Agency (IAEA) has repeatedly confirmed an EnKK safety standard of the highest international level. On the initiative of EnKK, the agency assessed the Philippsburg (in 2004 and 2006) and Neckarwestheim (in 2007 and 2009) nuclear power plants in the framework of OSART missions. Given the above-mentioned comprehensive aspect of the human, technology and organization factors on safety, OSART missions serve the purpose of obtaining knowledge of the human and organization aspects for a nuclear power plant. On the basis of its findings, the IAEA declared that EnKK evinces "overall a high degree of commitment and leadership in the management of safety and safety culture." Correspondingly the plants achieved very good results measured by international standards. Taken overall, therefore, the comprehensive estimation of the EnKK plants is one of an excellent safety level and high human-factor and organizational safety culture. In order to ensure that this high degree of safety is not only maintained but indeed constantly raised, EnKK invests and optimizes continuously with regard to all three factors. And of course the company will also continue to identify new requirements and implement measures as necessary. And in these endeavors, in future EnKK will continue to pursue its comprehensive approach — in operating and in decommissioning and in dismantling the plants — the approach that makes equal provision for the human, technology and organization factors.

Earthquake The Obrigheim site is located in an area of slight seismicity. The emergency standby building and the spent fuel storage facility are designed against design basis earthquake, design basis flooding, aircraft crash and explosion blast wave. The seismic load assumptions underlying the design of the emergency standby building and the spent fuel storage facility have been cross-checked repeatedly by different groups of experts and are well validated. The reassessments returned no findings necessitating a change to the seismic load assumptions. The design base accident 'design basis earthquake' is controlled with the existing safety functions. No mobile equipment is necessary. Compliance with the basis for licensing is supported by the written operating procedures. These include in particular the officially approved operating ordinances, which regulates together with other documents measures and activities such as corrective maintenance and repair, modifications, preventive maintenance and inservice inspections. Measures and activities are also controlled in the framework of process monitoring with an existing integrated management system. Within the framework of both continuous and periodic re-view, no deviations from the existing documentation required by the licensing authority were identified.

A1-78

On account of the high-grade design and build of the plant and the propitious seismic conditions at the Obrigheim site, robustness against seismic events is very high. Measures to increase the robustness of the plant against earthquake are not necessary. With regard to the safety functions, the spent fuel storage facility is spatially and functionally decoupled from the rest of the plant (which is in part in the process of being dismantled) and is therefore independent. Damage caused by earthquake or flooding to the other parts of the plant does not affect the safe condition of the spent fuel storage facility. With regard to the spent fuel assemblies still necessitating storage and having a decay time in excess of 6 years, the spent fuel pool is well over-dimensioned. At this time thermal output is less than 165 kW. On the basis of the usual operating maximum temperature of the water in the spent fuel pool of 28 °C, a temperature of 60 °C is not reached until after approximately 5 days. Without make-up water, the water content of the spent fuel pool would not have been dropped by evaporation to the vicinity of the fuel assembly heads until approximately 75 days had elapsed. On account of these very long grace periods for the preparation and implementation of measures, it is obvious that a very long period of time is available for initiation of active functions such as start-up of coo-ling systems, for example. Consequently, a failure of active components (e.g. components of the cooling sys-tem or the power supply) is of no significance with regard to the safe condition of the spent fuel storage facility. Passive functions are decisive for the safety of the spent fuel storage facility. The high level of robustness is achieved by the structural design and build of the emergency standby building and the spent fuel storage facility. The spent fuel pool is constructed as an independent reinforced-concrete pool (with austenitic-steel interior lining) inside the emergency standby building, set at a low level on the foundation slab of the emergency standby building and decoupled from the outer wall of the emergency standby building by spacing all round. The low siting, the layout and the over-dimensioning of the storage pool and the special design of the physical structures of the emergency standby building, particularly in the area of the storage pool, offer particularly robust passive protection against external events. With regard to the earthquake service condition there are considerable design margins on account of the solid and over-dimensioned physical structure of the spent fuel storage facility and the emergency standby building. Wall-penetrating cracks in the spent fuel pool that could lead to relevant water loss from the spent fuel pool can be virtually precluded. Even in a considerable water loss from the low part of the spent fuel pool, on account of the large water inventory, the compactness of the building area of the spent fuel storage facility, the solid structural segregation of the room from the rest of the emergency standby building and the design and build of the basement level of the emergency standby building, the spent fuel racks in the spent fuel pool remain fully submerged. Even under these circumstances, a step-change would not occur in the course of the event. Even with an almost complete exposure of the fuel assemblies, the occurrence of serious fuel-rod damage can virtually be precluded on account of the very low heat output.

A1-79

On account of the high level of protection of the emergency standby building and the spent fuel storage facility, fuel rod integrity of the spent fuel assemblies even in a aircraft crash is robustly validated. Even if fuel rod damage is assumed nevertheless, the intervention guide values set out by the Radiation Protection Commission for radiation protection measures for the public would be undershot by a wide margin even in the vicinity of the plant. The precautions and measures as implemented are appropriate for ensuring the safe condition of the spent fuel storage facility even in beyond-design-base events.

External Floods The emergency standby building and the spent fuel storage facility are designed against design basis flooding. The accesses in the low levels of the emergency standby building are located on a site elevation approximately 2 meters above the water level of the Neckar calculated for the 10,000-year high water level at the site. Design margins against beyond-design-base high water are also high. The pipe and cable penetration assemblies and access routes to the emergency standby building and to the spent fuel storage facility are high grade and water-tight, in accordance with the requirements for plant safety. The protection against design basis flooding on which the design of the emergency standby building and the spent fuel storage facility is based has been repeatedly crosschecked and is well validated. The design base accident 'design basis flooding' is controlled with the existing permanent (passive) protection functions. No mobile equipment and supply functions are necessary. Compliance with the basis for licensing is supported by the written operating procedures. These include in particular the officially approved operating ordinances, which regulates together with other documents measures and activities such as corrective maintenance and repair, modifications, preventive maintenance and inservice inspections. Measures and activities are also controlled in the framework of process monitoring with an existing integrated management system. Within the framework of both continuous and periodic re-view, no deviations from the basis of licensing were identified. On account of the permanent (passive) protection measures (including structural build and layout of the emergency standby building and the cell coolers on site), which were the basis for design, and the fit-for-purpose location of the spent fuel storage facility on the KWO site, protection against flooding is high-grade and robust. On account of the low heat output of the fuel assemblies the grace periods without the necessity for active intervention are very long. Even flooding events exceeding design basis flooding do not lead to situations endangering maintenance of the safe condition of the spent fuel storage facility. Measures to in-crease the robustness of the plant against flooding are not necessary. With regard to high water, the emergency standby building and the spent fuel storage facility have a very high robustness and high design margins.

A1-80

Extreme weather conditions Within the framework of design and design assessment, the impacts of extreme weather conditions to be assumed at the site in accordance with the standards were considered. The emergency standby building and the spent fuel storage facility have high-grade design against design basis earthquake, design basis flooding, aircraft crash and explosion blast wave. The emergency standby building with its accesses including assembly openings and pipe and cable penetration assemblies to the emergency standby building and to the spent fuel storage facility is of high-grade design as per the requirements of plant physical security and the structural build is such that it is water-tight. The high-grade structural design and build of the emergency standby building and the spent fuel storage facility robustly cover structural load postulations from natural weather events. On account of the very low demand on heat removal from the spent fuel pool and the consequent very long grace periods, neither automatic-trigger nor manual-initiation active functions of systems and components (e.g. cooling systems, power supply) are necessary to maintain the safe condition. All in all, extreme weather conditions have no safety-relevant impacts on the spent fuel storage facility. Measures to increase the robustness of the plant against extreme weather conditions are not necessary.

Loss of power The high-grade and robust design and build of the spent fuel storage facility and the emergency building and the very long grace periods for preparation and implementation of active functions (e.g. start-up of the cooling systems) ensure that only passive functions for maintenance of the safe condition of the spent fuel storage facility are to be considered as safety functions. On account of the high quality of the passive safety functions neither automatic-trigger nor short-notice manual-initiation of active system functions are necessary to maintain the safe condition, even if power is lost. On account of the very long grace periods for preparation and implementation of measures, the active functions for power supply are designated important operational and auxiliary functions of the spent fuel storage facility. Notwithstanding the above, a robust power supply of high-grade design is available for the spent fuel storage facility. If the entire off-site power supply fails the diesels in the emergency standby building are started. One leg of the diesel-backed power supply is sufficient to ensure the power supply to the plant. With the two diesels operating sequentially and allowing only for the fuel and lube-oil reserves available in-side the emergency standby building, the power supply for the plant is ensured for more than 72 hours. A1-81

In the event of a loss of off-site power of longer duration, further fuel reserves and lubeoil supplies are available on the KWO site for operation of the diesel in the emergency standby building for more than 1 week. Very long grace periods — extending even beyond the target time of 72 hours without external support — are available for preparation and implementation of measures to restore active functions (e.g. restoration of the power supply) in the plant. Within the very long grace periods, for example, recovery measures can be undertaken to restore the three-phase power supply. Adequate human resources, both shift personnel and specialists, are available for the purpose.

Loss of primary heat sink The high-grade and robust design and build of the spent fuel storage facility and the emergency building and the very long grace periods for preparation and implementation of active functions (e.g. start-up of the cooling systems) ensure that only passive functions for maintenance of the safe condition of the spent fuel storage facility are to be considered as safety functions. On account of the high quality of the passive safety functions neither automatic-trigger nor short-notice manual-initiation of active system functions are necessary to maintain the safe condition. On account of the very long grace periods for preparation and implementation of measures, the active functions for heat removal are designated important operational and auxiliary functions of the spent fuel storage facility. Notwithstanding the above, robust heat removal systems of high-grade design are available for the spent fuel storage facility. If both cooling chains fail, taking as the point of departure the usual operating maximum temperature of 28 °C, the pool water does not reach a temperature of 60 °C until after approximately 5 days. Without pool water inlet, the water content of the spent fuel pool would not have been dropped by evaporation to the range of the fuel assembly heads until approximately 75 days had elapsed. On account of the high-grade and robust design and build of the emergency building and the spent fuel storage facility, and the very long grace periods, a failure of the heat removal systems of the spent fuel storage facility has no effects on maintenance of the safe condition of the spent fuel storage facility.

Loss of ultimate heat sink combined with station blackout The high-grade and robust design and build of the spent fuel storage facility and the emergency building and the very long grace periods for preparation and implementation of active functions (e.g. start-up of the cooling systems) ensure that only passive functions for maintenance of the safe condition of the spent fuel storage facility are to be considered as safety functions. On account of the high quality of the passive safety functions neither automatic-trigger nor short-notice manual-initiation of active system functions are necessary to maintain

A1-82

the safe condition. On account of the very long grace periods for preparation and implementation of measures, the active functions for power supply are designated important operational and auxiliary functions of the spent fuel storage facility. Notwithstanding the above, a robust power supply of high-grade design is available for the spent fuel storage facility. In a station blackout (failure of the off-site power supply and failure of the on-site diesel-backed power supply) the power supply to the systems for heat removal from the spent fuel pool is by design initially not available. The I&C equipment is supplied off batteries. Very long grace periods — extending generally even beyond the target time of 72 hours without external support — are available for preparation and implementation of measures to restore active functions (e.g. restoration of the power supply) in the plant. On account of the high-grade and robust design and build of the emergency building and the spent fuel storage facility, and the very long grace periods, the condition of the spent fuel storage facility is safe even given to-design non-availability of the heat removal systems in a station blackout.

Management of severe accidents On account of the high-grade and robust design and build of the emergency standby building and the spent fuel storage facility, particularly with regard to special service conditions, and the very low demand on heat removal from the spent fuel pool and the consequent very long grace periods for preparation and implementation of measures, the implementation of suitable accident management measures is unproblematic. On account of the high quality of the passive safety functions neither automatic-trigger nor short-notice manual-initiation active system functions are necessary to maintain the safe condition. An organizational structure of licensee EnKK, adapted to the plant condition and responsible for handling accident events (design-base and beyond-design-base) at the Obrigheim site is in place at the Obrigheim site. EnKK’s organizational structure and the responsibilities, particularly for detection and management of accident events, are set out in the operating procedures. The organization for accident events consists of a group led by a Technical Manager. The Technical Manager, generally the Technical Director, bears overall responsibility for maintenance of safe plant condition and for the measures to be adopted. The postholder undertakes control in the field and designates, particularly on an eventspecific and condition-specific basis, the individuals for the various specific response teams, the leaders of the response teams and the person responsible for liaising with the authorities and the emergency services organizations. The initiation of off-site alerts and alarms (notification, pre-alert and disaster alarm) lies within the remit of the head of the disaster control authority. The criteria for notifying and alerting the disaster control authority by EnKK in relation to the Obrigheim site are set out in the operating procedures. With regard to the fill level of the external spent fuel pool, the criteria were based on the Reactor Safety ComA1-83

mission and the Radiation Protection Commission joint recommendations for disaster control authority alerting by the operators of nuclear facilities. Assuming failure of the cooling systems of the spent fuel pool (heating and evaporation of the pool water) and the operational boundary conditions in the spent fuel pool at the start of the assumed failure, the grace periods are approximately 50 days before the criterion for "pre-alert" is reached and approximately 75 days before the "disaster alarm" criterion is reached. On account of the high-grade and robust design and build of the emergency standby building and the spent fuel storage facility, reaching these criteria is not equivalent to significant release of fission products. The times are based on a conservative calculation of the grace periods given integrity of the spent fuel pool. Measures to be taken in the framework of detection and control are initially defined on the basis of the specifics set out in the operating procedures and subsequently, on account of the very long grace periods, suitably situation-based on the grounds of an extensive assessment of the situation as-is, drawing on the assessments of specialists and management personnel and if necessary external experts. On account of the accident events to be considered and the very long grace periods, ready-from-standby measures descriptions are not necessary. In an accident event, the EnKK organization at the Obrigheim site decides, particularly on an event-specific and condition-specific basis, on EnKK-internal or external reinforcement. For example the EnKK organization at the Obrigheim site is supported, insofar as necessary, by an organization known as the "crisis response organization" in place within the EnBW group. The crisis response organization includes what is known as a crisis management group including, int. al., coordinators and teams for nuclear, specialist-engineering, support and communication issues. The overall radiological situation is assessed on the basis of the radiological conditions in the plant and at the site and in the vicinity of the site. Monitoring points that return measured values for local dose rates and activity concentrations are in place in the environment of the Obrigheim site, outdoors on site, and inside the site buildings. Measured values for meteorology are obtained in the vicinity of the plant (e.g. wind direction and wind velocity, ambient temperature). Special radiological measured values and measured values for meteorology from the Obrigheim site are transmitted via the nuclear reactor remote monitoring system to the authorities responsible for radiological monitoring in Baden-Württemberg (including the Ministry of the Environment, Climate Protection and the Energy Sector, UM-BW). Factors that could hinder accident management such as destruction of the infrastructure (earthquake, flooding), loss of communication facilities, accessibility of the control room or the backup control center, difficult radiological boundary conditions, failure of instrumentation, have no effect on maintenance of the safe condition of the plant, because in the early phase of event occurrence no active measures for accident man-

A1-84

agement are necessary and for longer-term measures very long grace periods are available for preparation and implementation of measures.

Accident management measures Effective retention of the radioactive inventory in the spent fuel storage facility takes place on the lines-of-barrier principle. The sub-criticality of the spent fuel assemblies is robust. Along with the barriers for retaining radioactive substances, there are also barriers for shielding head-on radiation from the fuel assemblies. These are the pool water, the solid thick reinforced-concrete walls of the spent fuel pool and the solid thick reinforcedconcrete structures of the emergency standby building. With regard to accidents and very rare events, for the special boundary conditions of the external spent fuel storage facility there are safety barriers for activity retention, retention of fission products in the crystal lattice of the fuel and retention of radioactive substances in the water-filled spent fuel pool solid structure. The primary objective of all measures to be implemented, regardless of the fill level to which the water in the spent fuel pool drops, is restoring adequate water coverage of the fuel assemblies. The secondary objective is to restore heat removal via the existing cooling systems. On account of the special build and design of the physical structures in the specially protected area of the spent fuel storage facility and the low-lying, structurally decoupled spent fuel pool, a significant loss of water from the spent fuel pool is virtually precluded. Taking as base the usual operating maximum water temperature in the spent fuel pool of 28 °C, a water temperature of 60 °C is not reached until after approximately 5 days and a water temperature of 100 °C is not reached until after approximately 12 days. The water content of the spent fuel pool would not have been dropped by evaporation to the vicinity of the fuel assembly heads until approximately 75 days had elapsed. Consequently, ahead of a significant drop in fill level the grace periods for advance effective counter-measures are very long. If coolant inventory drops below a defined level, irrespective of event the operating instructions make-up of the water inventory in the spent fuel pool by means of the operational demineralized water supply, which is located in its entirety inside the emergency standby building. A large supply of demineralized water is available for this purpose. Alternatively, provision is also made for makeup with water from the fire extinguishing system (by hose line) into the storage pool. On account of the very long grace period for preparation and implementation of measures, comprehensive assessments of the accident events can be made and if necessary further measures implemented with the objective of establishing sufficient water coverage of the fuel assemblies. Other possibilities for the provision of make-up water can be used as the situation requires.

A1-85

The accessibility of the room areas of the spent fuel storage facility necessary for implementation of the respective measures can be ensured without difficulty for example with mobile extraction equipment and purging of the ambient air, even after an extended period of evaporation cooling. When water coverage of the fuel assemblies is approximately 1 meter, at the top edge of the spent fuel pool the dose rate would be approximately 5 mSv/h. Simple activities at the pool edge (e.g. laying hose lines for provisional water make-up, walkdowns, taking measurements) are therefore possible without difficulty from the health physics point of view, even when water coverage is only approximately 1 meter. The grace period before a fill level of approximately 1 meter of fuel assembly coverage in the spent fuel pool is reached is calculated at approximately 65 days. Consequently, a very long period of time is available for undertaking without hindrance measures in the direct vicinity of the spent fuel pool. Moreover, it is not absolutely necessary to undertake measures from the upper part of the spent fuel pool in order to establish facilities for supplying make-up water to the spent fuel pool. The rooms in which active and passive components of the storage pool cooling system are located (e.g. pumps, heat exchangers, connections for make-up water) are separated from the spent fuel pool itself by solid reinforced-concrete structures which also constitute an effective radiation barrier vis-à-vis the spent fuel pool. On account of the distance at which it is located and the physical structure (reinforcedconcrete walls and floor/ceiling slabs) the standby control center is adequately radiation shielded vis-à-vis the spent fuel pool and is unrestrictedly accessible. Without make-up water, the water content of the spent fuel pool would not have been dropped by evaporation to the vicinity of the fuel assembly bottoms until approximately 95 days had elapsed. On account of the very low heat output, even if the fuel assemblies were almost completely exposed significant releases of hydrogen or serious fuel rod damage and the associated release of fission product are virtually precluded. Special measures for hydrogen management are not necessary. The longer-term important measure for limiting activity release is refilling of the spent fuel pool with water to maintain a safety barrier function for retention and shielding of the radioactive substances. Further reduction of activity release can be achieved by means of the exhaust air flow rate from the spent fuel storage facility by means of the operational two-stage filtration of the air or by isolation of the air ventilation of the spent fuel storage facility. If isolation or filtration of the exhaust air is wholly or partly not possible on account of damage, refilling of the spent fuel pool with water is sufficient to limit the activity releases. The "aircraft crash" special service condition is definitive for the build and design of the physical structures of the emergency standby building and the structurally decoupled spent fuel pool. Consequently, both the part of the emergency standby building that is specially protected against dynamic loads, in which the spent fuel pool is sited, and the structurally decoupled spent fuel pool have considerable design margins against the A1-86

earthquake service condition. Wall-penetrating cracks in the pool structure that could lead to significant water losses from the spent fuel pool into the emergency standby building are virtually precluded. In a significant water loss from the bottom part of the spent fuel pool to the surrounding part of the building, the spent fuel pool is separated from the rest of the emergency standby building by walls, so in these circumstances too, complete water coverage of the storage racks in the spent fuel pool is maintained. On account of the very long grace periods before measures have to be initiated, there is ample time for assessment of the situation as-is and choice of suitable situationbased measures, drawing on the assessments of specialists and management personnel and if necessary external experts. The planned measures can without difficulty be undertaken without special external resources and support.

A1-87

Annex 1

9

GKN I / Neckarwestheim 1

Outline description of the nuclear power plant Plant description The Neckarwestheim Nuclear Power Plant with two pressurized water reactors is located at a closed quarry on the Neckar River nearly 10 km south of the city of Heilbronn. Unit 1 (GKN I) is a KWU (Kraftwerk Union) 3-loop plant with three steam generators and a reactor core with 177 fuel assemblies. The safety systems have largely a four-leg design with spatial separation (e.g. 4 emergency core cooling and residual heat removal systems, 4 emergency diesels - two emergency diesels well structurally protected to control of external events. The plant thermal output of 2497 MW can be converted in a total gross electrical output of 840 MW by a three-phase turbo generator and a separate turbo generator for railway electricity. Depending on the water level of the Neckar River, the supply of cooling water for GKN I is ensured directly by river water cooling, by cell cooling tower operation, or by combination of both. A reinforced concrete reactor building encloses safety important plant equipment along with a large spherical, several centimeter thick steel shell that forms the full-pressure containment. It encloses the primary cooling circuit with its components (including, et. al. the reactor pressure vessel with connecting piping, the main cooling pumps and the steam generators) and the fuel element storage pool for spent fuel elements. NPP Neckarwestheim Unit 1 entered commercial operation on December 01, 1976 and had generated about 200 thousand million kWh gross electrical energy till to the begin of the moratorium in mid-March 2011. Licensee of the Neckarwestheim Nuclear Power Plant is the EnBW Kernkraft GmbH (EnKK). The Probabilistic Safety Analyses performed up to now within the framework of the periodic safety review for GKN I in accordance with the Probabilistic Safety Analysis Guide publicized by the Federal German Ministry of the Environment (BMU) on August 30, 2005, show level-1 PSA results significantly lower than the IAEA target for plants in operation (< 10-4 per year). Moreover these results are below the recommended target (10-5 per year) for new plants; they also show the balance of the system and plant technology of GKN I. The level-2 PSA results show that the GKN I frequencies for serious fission-product release are extremely low; the activity risk for the immediate vicinity of GKN I is very low and comparable with the activity risk determined for the GKN II plant. All in all, the level-1 and level-2 PSA results confirm a balanced safety concept and a very high safety level for GKN I. Culture and guidelines The two Units at the Neckarwestheim site (GKN I and GKN II) and the two at the Philippsburg site (KKP 1 and KKP 2) and the definitively shut down (decommissioned) A1-88

Obrigheim nuclear power plant (KWO) are operated by the EnBW Kernkraft GmbH (EnKK). The safety of its plants is a top priority for EnKK. The guiding principle is "safety takes priority over economic efficiency". Just like all other German plants, EnKK's nuclear power plants are subject to permanent, independent legal supervision (nuclear supervisory authority). The premise that safety in operation of the plants has topmost priority is also anchored organizationally in EnKK with the management system for nuclear safety, quality assurance, environmental protection and occupational health and safety protection (Integrated Management System), certified in accordance with international standards. This is because for the safety of its nuclear power plants EnKK pursues consequently a comprehensive approach making equal provision for the human, technology and organization factors and their interaction. This approach is aimed to continuous optimization and development in all the above-mentioned fields. On account of the safety philosophy outlined above, the plants are operated on a very high safety level — and this also holds true in international comparison. As a matter of fact, for the four plants GKN I and GKN II and KKP 1 and KKP 2 the current results of the safety reviews required by law that without exception, all 4 plants satisfy all safety requirements. The safety level of the plants is comparable with that required by the International Atomic Energy Agency (IAEA) for new plants. (Note: Legislation does not require a safety review of KWO, which was decommissioned in 2005). In addition, the International Atomic Energy Agency (IAEA) has repeatedly confirmed an EnKK safety standard of the highest international level. On the initiative of EnKK, the agency assessed the Philippsburg (in 2004 and 2006) and Neckarwestheim (in 2007 and 2009) nuclear power plants in the framework of OSART missions. Given the above-mentioned comprehensive aspect of the human, technology and organization factors on safety, OSART missions serve the purpose of obtaining knowledge of the human and organization aspects for a nuclear power plant. On the basis of its findings, the IAEA declared that EnKK evinces "overall a high degree of commitment and leadership in the management of safety and safety culture." Correspondingly the plants achieved very good results measured by international standards. Taken overall, therefore, the comprehensive estimation of the EnKK plants is one of an excellent safety level and high human-factor and organizational safety culture. In order to ensure that this high degree of safety is not only maintained but indeed constantly raised, EnKK invests and optimizes continuously with regard to all three factors. And of course the company will also continue to identify new requirements and implement measures as necessary. And in these endeavors, in future EnKK will continue to pursue its comprehensive approach — in operating and in decommissioning and in dismantling the plants — the approach that makes equal provision for the human, technology and organization factors.

Earthquake For the licensing procedure of GKN I, a maximum ground acceleration of 170 cm/s2 (peak ground acceleration (PGA), rigid body acceleration) was defined for seismic design (maximum potential earthquake or safe shutdown earthquake).

A1-89

This definition bases on a deterministic seismic hazard analysis allowing for the special requirements for nuclear power plants with regard to resistance to seismic events. According to today's valuation standards, the design base intensity of I = 8 includes a safety factor of one intensity level. The reasoning on which this is based is that the current KTA procedure identify a design intensity of only I = 7 for the required annual exceedance probability of 10-5 per year. When the original design basis earthquake (I = 8) is assessed by today's viewpoints, an exceedance probability can be assigned at < 10-6 per year. The classical subsoil expertise and the results of metrological studies clarify that the subsoil is suitable for a nuclear facility, that the conditions at the GKN site can be described uniformly as "rock" and that transient transmission behavior is unified without particular amplification effects. The Neckarwestheim site is located in an area of low seismic activity. The seismic load assumptions have been cross-checked by different groups of experts and are well verified. The extensive studies undertaken within the past years have confirmed the original design base variables as conservative specifications and consequently there have been no findings necessitating a change to the seismic load postulations for GKN I. The design-base variables also comply with the specifications of KTA 2201.1, now revised as a draft change amendment proposal (status June 2010). In April 2011, all nuclear power plants in Baden-Württemberg underwent safety review by a team of experts. The team of experts was appointed by the government of BadenWürttemberg in direct reaction to the events in Fukushima. The team of experts ascertained that the current expertise on assessment of the seismic load assumptions at the GKN site not only covers the valid KTA rule 2201.1 in scope of the work, but goes beyond it in specifics. In summary it can be stated that the present design basis is adequate and compliant with the state of the art. Moreover, the existing design offers further margins for beyond-design-base events. The structures, systems and components necessary for accident control are designed to provide protection against the design basis earthquake; they have margins and are therefore also robust against beyond-design-base earthquakes. The plant is designed for the design basis earthquake. Consequently, the earthquakeinduced "damage possibilities" are taken duly into account in the design. The "earthquake" external event is controllable with the available design safety systems, even assuming a repair case and a postulated single-mode fault. In addition, the earthquake-conditioned core damage frequency was calculated in the earthquake PSA and the system functions for the control of seismic action were sysA1-90

tematically analyzed. The earthquake-conditioned failure of the facilities designed specially against the design basis earthquake contributes no more than insignificantly to the earthquake-conditioned core damage frequency. It was shown that no dominant relevant contributions result from the earthquake-conditioned failure of structures, systems and components. Consequently, no cliff edge effects are identifiable even in relation to earthquake events of very low probability. The failure in consequence of earthquake of structures, systems and components not essential in an earthquake event was also taken into account in design. Either their design was directly to sustain a basic design earthquake event or proof was forthcoming that the effects of failure remain within limits and do not lead to an impermissible restriction of the accident control. In accordance with design specifications, power supply in the event of a design basis earthquake and simultaneous failure of all off-site power grid connections and generator-supply, is off the emergency power diesels in the four-leg emergency power system. As regards accessibility, the damage for the design basis earthquake on the powerplant site and off-site would not impermissibly restrict the availability of the requisite personnel and supply facilities. The licenses and modification licenses and subsequent official requirements and provisions including the documents cited in the decisions are deemed to constitute the basis for licensing. In these decisions the licensing authority has set out the legal requirements in the form of licensing documents and auxiliary conditions for the installation and operation of the plants. The process for compliance with the basis for licensing with regard to key systems, component and structures for the earthquake service condition does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The earthquake external event is a design basis accident that is controlled with the permanently installed safety systems provided for the purpose. No mobile equipment and supply functions are necessary. Both within the framework of the continuous and of the periodic reviews and the results of the special reviews initiated by the events in Fukushima, no deviations from the basis for licensing were identified. By way of arriving at an estimate of the earthquake intensity that could lead to severe core damage, the conservative assumptions and margins in the models along the chain from the determination of the design basis earthquake to the plant as-is are considered and evaluated. The studies revealed no indications of effects which, in the event of a beyond-design-base earthquake, would lead to step-change deterioration (cliff edges)

A1-91

in safety-relevant boundary conditions (e.g. cross-redundancy failure on account of flooding, destruction by consequential explosions, etc.). Evaluation on the basis of the margins as indicated shows that even given a postulated beyond-design-base earthquake with an intensity level I = 9, no global loss of safetyrelevant vital functions is anticipated. Given the enormous increase of the effects that this entails, no cliff edge effects are anticipated. At a further increase of intensity to I = 10 for the purposes of this study, relevant earthquake-related failures could not be precluded. A relevant event of this nature would be, for example, structural failure of the reactor building. This constitutes a potential cliff edge effect, but one that is hypothetical because the likelihood of its occurrence does not arise until event intensities are in the region of I > 9. Given the geological and tectonic boundary conditions and the low seismicity at the site, earthquakes of such intensity are virtually precluded. The intensity occurrence rate for I > 9 for the site is in the magnitude of 10-8 per year. With regard to hazards due to severe core damage as the result of a beyond-designbase earthquake, it is to be noted that for GKN I, even in the event of the design basis earthquake being exceeded significantly, there is no likelihood of the loss of vital safety functions and, on account of site conditions and the robustness of the plant, there is no likelihood of the occurrence of cliff edge effects. This also applies unreservedly for containment boundary integrity. The reactor building of GKN I is a solid reinforced-concrete structure integrating a spherical steel enclosure as the containment boundary. Large-area failure of the steel enclosure can be considered in this context as a hypothetical cliff edge effect that can lead to loss of containment boundary integrity. However, this is not to be reckoned with unless an earthquake event reaches a magnitude in the intensity range I > 9, an occurrence that can be precluded on account of the geological and tectonic boundary conditions and the low seismicity at the site. Postulating an earthquake-induced sudden rupture of an upriver water-retention structure (lock, dike), on account of its height the Besigheim lock located at a distance of 8 km is definitive for all downstream water-retention structures on the Neckar. On account of the geographic situation, under these circumstances there would be no occurrence of flooding that would affect the safety of the power plant. On account of the design of the plant and the seismic conditions at the site, robustness against seismic events is high. Consequently, there is no need for further measures.

External Floods The design basis flood-water level for the plant was calculated at 172.66 meters above sea level. The flooding protection height of the station was specified as 173.5 meters above datum sea level with provision made for a freeboard margin, so it is 84 cm higher than the design basis flooding level. The methodology for calculating the design basis flooding level is set out primarily in KTA 2207 "Protection of nuclear power plants against flooding". This regulation stipulates an exceedance probability of 10-4 per year for the design basis flooding level.

A1-92

The design basis flood level was checked on the basis of better computational models and an extended data base in 2003 and again in 2007. These studies confirmed the design basis flooding level calculated in 1981. When the plant was designed the flooding protection height was selected to provide a high safety margin over the design basis flooding level. This corresponds to an exceedance probability of 10-5 per year. The protection of safety-relevant plant equipment necessary for shutdown of the reactor, for the residual heat removal and for inadmissible release of radioactivity consists of the protection of the safety-relevant buildings in which these safety-relevant plant equipment and their supply systems are located. These buildings are protected structurally up to a protection height of 173.5 meters above datum sea level. The buildings forming part of the scope of protection are sealed by the structural use of water-impermeable concrete. The outsides, moreover, are sealed against hydraulic pressure below ground level. The cable and pipe penetration assemblies in safety-important buildings are of watertight and pressure-tight design. The entries of relevant buildings are either sited at heights above the protection height of 173.5 meters above datum sea level or they have flooding bulkheads that have to be fitted on demand. The relevant procedures for the defense-in-depth measures to prevent flooding damage are set out in the Operating Procedures Manual. The access routes to the power plant site are mostly passable for vehicular traffic; the traffic routes on site and to the accesses to the buildings are not significantly restricted. Human-resource availability and accessibility for equipment are ensured and safetyrelevant measures (operating actions and repairs) can be undertaken without restriction. The process regarding systems, components and structures necessary for the flooding load does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The process with regard to mobile facilities does not differ from the general process for ensuring compliance with the valid basis for licensing, as described above. Both within the framework of the continuous and of the periodic reviews and driven by special reviews initiated as a result of the events in Fukushima, no deviations from the basis for licensing were identified.

A1-93

Many barriers are in place and would have to fail before core damage could occur. Flood water can rise to the air intakes of the emergency power diesel building before the secondary ultimate heat sink fails. These intakes are approximately 4 meters above the existing protection height so the occurrence need not be assumed. On account of the plant's existing high robustness, extending far past beyond-design range, no further measures to increase the plant's robustness against flooding are envisaged.

Extreme weather conditions Plant design took into account various weather conditions (e.g. extreme river-water and air temperatures, wind and snow loads, rainstorm, lightning). The extreme weather conditions in the summer of 2003 initiated a review of whether safety-relevant design and verification parameters would have to be adjusted to allow for extreme weather conditions. The outcome was that the existing design margins of the safety-important structural and mechanical facilities also cover extreme weather. On account of their low frequency and the limited impacts on the plant's safety system, extreme weather conditions do not contribute significantly to the overall frequency of hazard and core-damage states. Most combinations can be precluded on the basis of their expected frequency. Only combinations that are in causal relationship have to be considered, such as snow and low temperatures or snow and storm. However, no extraordinary hazard to the plant could be identified for these combinations. The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather loads. There are no safety-relevant impacts due to extreme weather influences. On account of the robustness of the building structures in particular (design to resist earthquake, aircraft crash and explosion pressure wave), exceeding the design-base values results in no impacts or only limited impacts on the plant's safety system. The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather loads. There are no safety-relevant impacts due to extreme weather influences. There are high design margins against extreme weather conditions. Further measures to increase robustness are not necessary.

A1-94

Loss of power In the event of a loss of off-site power from the 220 kV grid and the 110 kV system and if the generator is unavailable, the emergency power system is not supplied further on by the auxiliary station service. If this loss of offsite power occurs the reactor protection system initiates an automatic start of the four emergency power generators, which are located in the emergency diesel building. If loss of offsite power persists, in accordance with design specifications a 72-hour period of operation without external support is ensured for the emergency diesels. On account of the reduced load requirement in the condition under consideration, therefore, the fuel consumption of the diesel can be assumed to be considerably less than in the design-base condition. Consequently, reliable independent operation over a period of considerably more than 100 hours for the necessary redundancies is realistic. In summary it can be stated that utilizing all plant-internal fuel reserves, without external support a sustained loss of offside power over a period of more than 7 days is possible. Failure of all four emergency diesels constitutes what is defined internationally as a station blackout (SBO). Defense against this condition in GKN I is provided by a redundant standby emergency (SBO-)diesel with diversified air cooling located separately from the other emergency diesels. This diesel generator can be connected onto each of the four emergency diesel redundancies and can then supply completely the electrical loads of the connected emergency redundancy. The standby emergency diesel can be connected onto manually if one or more emergency diesels fail to start or fail when in operation. Even when the plant is in low power operation, the energy supply to all systems and facilities to be considered as necessary for residual heat removal and control of the impacts of events is ensured by an adequate emergency supply. The spent fuel pool is cooled either by two separate legs of the emergency core cooling and heat-removal system or the 3rd pool cooling leg. Consequently, assuming failure of the emergency diesels, the supply of electrical energy for this purpose is ensured by the standby emergency power diesel. In the event of failure of the three-phase supply for the DC power supply of the emergency system, the DC supplied components and the consumer loads powered by inverters in the emergency diesel building and in the switchgear building receive an uninterrupted supply from the in-situ battery banks. On account of the system-specific design, the discharge time of all ± 24 V and 220 V batteries in the emergency diesel building is at least 2 hours. The discharge time of the ± 24 V battery banks in the switchgear building is at least 3 hours. The discharge time of the 220 V banks is in excess of 10 hours.

A1-95

Regarding an operating duration in excess of that stipulated in the code of at least 10 hours for the battery-buffered direct-voltage systems in consequence of an accident, it is primarily the accident monitoring instrumentation for assessment of plant condition to which power must be maintained. All other DC-supplied components and systems can be shut down manually. In the event of total failure of the three-phase power supply (failure of the emergency diesels and the standby emergency diesel), the primary aim of the shift is to have reestablishment of a three-phase supply implemented as soon as possible and to sustainably maintain heat removal to the secondary side by means of accident management measures. There are various emergency procedures for restoring a three-phase power supply with mobile or special external equipment. The measures for restoring the standby power supply as set out in the accident management manual are designed such that the procedures in question can be handled by the shift personnel present on their own. In principle therefore no external support is necessary. The accident management measure "Secondary bleed and feed" is in place for controlling this scenario in power operation and in general when reactor coolant system is locked pressure sealed. When the plant is low power operation with the reactor coolant system open, after failure of the cooling the water inventory heats up and evaporates. As a countermeasure coolant is fed from the accumulators and this alone would suffice to delay the possible occurrence of core damage by a number of hours longer. Furthermore, it is also possible to inject some of the spent fuel pool water geodetically to the reactor coolant system. As regards spent fuel pool cooling, with the cooling system unavailable at least 10 hours pass before the temperature could rise to the specified temperature of 80 °C. It would be at least another 5 hours before boiling condition would be reached. The GKN I plant has been shut down since mid-March 2011. All fuel assemblies are in the spent fuel pool. The decay heat to be removed from the fuel pool continues to drop. Consequently, the grace period for a temperature rise to 80 °C is extended to more than 48 hours. The time available for the recovery of normal core cooling is in all about one day, without unacceptable heating of the fuel. The adequacy of the protection against loss of power is therefore considered as entirely fulfilled. On account of the margins for ensuring the power supply as indicated, also taking super-imposed events (earthquake, flooding, extreme weather conditions) into consideration, no need for measures for further increasing robustness can be identified within the framework of this reassessment.

A1-96

Nevertheless, in the light of the events in Fukushima, by way of supplementation the concept of this mobile power supply is to be further developed in technical and administrative respects.

Loss of ultimate heat sink and assured auxiliary service water system is available With its 4x50% system design for the active components and double spatially separated cooling water intake from the circulating water culvert and the diversified cooling possibilities for an intermediate cooler for nuclear equipment with mobile pumps and/or injection of well water, extensive provisions have been made at GKN I in case of loss of the primary ultimate heat sink (run-of-river water supply) as the result of accidents or external events. The assured auxiliary service water system is a 4 x 50 % system for the active components and in the event of a relevant challenge it is supplied off the emergency power system. The fourth auxiliary service water pump can be connected onto any of the three flow legs to the intermediate cooler for nuclear equipment. The auxiliary service water systems complete with all buildings and facilities are designed to withstand the external events earthquake with subsequent rupture pressure wave, and flooding. Moreover, the pump buildings of the auxiliary service water system for nuclear equipment underwent reassessment for the explosion pressure wave load as per the Reactor Safety Commission guidelines. The aircraft crash load case is controlled by spatial separation. In case of need, the diversified supply of an intermediate cooler for nuclear equipment with well water can be maintained by the 5th air-cooled standby emergency diesel. Consequently, an auxiliary service water supply is available in station blackout conditions. In all external events covered by design base accidents and extremely improbable beyond-design-base events, in all instances GKN I is ensured even in the long term of reliable heat removal via the auxiliary service-water system for nuclear equipment or the existing diversified standby water supply possibilities. Heat removal is ensured without external support. This applies even when these assumptions are superimposed with the initiating events under consideration, earthquake, flooding or extreme weather conditions. Even given a failure of the assured auxiliary service-water system, heat removal from the reactor coolant system and the spent fuel pool can be undertaken for any length of time and without external support by means of the standby water supply possibilities with well water or by means of mobile pumps. Moreover, when the reactor coolant system is closed heat removal can be effected via the secondary side. The quantity of auxiliary service water required is only a fraction of the design base flow rate of the circulating water system, so the intake for the auxiliary service-water system for nuclear equipment can be assumed to be adequate even in the event of blockage of the receiving water, high arising of foreign matter or other disruptions affecting the cooling water intake. The cooling-water discharge canals are also dimensioned for the design base flow rate of the recirculating water system and run at a suitable gradient down to the river. Consequently, the volume of auxiliary service water can discharge freely even if the return is adversely affected.

A1-97

In all external events covered by design base accidents and extremely improbable beyond-design-base events, in all instances GKN I is ensured even in the long term of reliable heat removal via the auxiliary service-water system for nuclear equipment or the existing diversified standby water supply possibilities. Heat removal is ensured without external support. This applies even when these postulations are superimposed with the initiating events under consideration, earthquake, flooding or extreme weather conditions. As per the design specifications, the auxiliary service-water system for nuclear equipment is adequately dimensioned to withstand the external events earthquake with subsequent rupture pressure wave by vessel rupture in the turbine building, flooding and extreme weather conditions. The process design of heat-removal power of the auxiliary service-water system for nuclear equipment is dimensioned for the internal event loss of coolant accident, and for this reason design margins are available vis-à-vis the quantities of heat to be removed in the above-mentioned external event conditions. The switching operations in the auxiliary service-water system for nuclear equipment are largely performed automatically by the safety system I&C. The manual switching operations and the engaging of the mobile pumping equipment can be undertaken entirely by the shift and workshop personnel in the plant. No external human resources or mobile equipment are needed. In summary, as a result of the present reassessment it can be stated that GKN I evinces very high robustness against a loss of the primary ultimate heat sink and against failure of the receiving water and/or return. This also applies for beyond-design-base external events and in extreme weather conditions. The adequacy of defense against a loss of the primary ultimate heat sink can therefore also be confirmed as being in full of scope. The robustness of the GKN I plant against loss of the auxiliary service water system for nuclear equipment can be considered adequate on the basis of findings of the previous analyses and consequently further measures to increase robustness are not derived. With regard to heat removal from the spent fuel pool, evaporation cooling is to be incorporated into the accident management concept.

Loss of ultimate heat sink combined with station blackout GKN I has diverse standby water supply possibilities. This can be effected on the one hand by mobile pumping equipment with infeed of river water bypassing the receiving water or by infeed of well water via an intermediate cooler for nuclear equipment. In case of need the standby water supply possibilities can be supplied with energy by connecting onto the fifth air-cooled standby emergency diesel and are thus available in full of scope even in a station blackout event. In the light of the very conservative definition of the station blackout event in the national guidelines of Germany's Reactor Safety Commission a complete loss of the GKN I emergency power supply systems (4 x emergency diesel and 5th standby emergency diesel) - which goes significantly beyond the postulation for station blackout in the broader European sense - has to be assumed. A1-98

Even for this very conservative view, in accordance with the information (lessons learned) about supply, by means of a mobile emergency power generator kept on site activation of a leg of the auxiliary service-water system for nuclear equipment is possible at any time at short notice and without external support. The switching actions in the emergency service-water system are performed in part automatically by the safety system I&C. The manual switching actions can be undertaken entirely by the shift and workshop personnel in the plant. No external human resources or external mobile equipment are needed. In summary, as a result of the present reassessment and in accordance with the information set out in Chapters 5 and 6, it can be stated that GKN I again evinces very high robustness against a loss of the primary ultimate heat sink with station blackout. This also applies for beyond-design-base external events such as earthquake and flooding, and for extreme weather conditions. The adequacy of defense against a loss of the primary ultimate heat sink with station blackout can therefore also be confirmed as being in full of scope. On account of the high robustness of the GKN I plant as indicated against loss of the primary ultimate heat sink with station blackout no measures for increasing robustness can be derived. This also holds true in consideration of the beyond-design-base range of the initiating events earthquake, flooding and extreme weather conditions, and explosion blast wave. Moreover, even in the event of loss of the fifth emergency power diesel, by means of supply from a mobile emergency generator kept on site activation of a leg of the auxiliary service-water system for nuclear equipment is possible at any time at short notice and without external support. The emergency power diesel facilities are cooled with well water and are therefore unaffected by failure of the receiving water. In the very improbable event of complete failure of the receiving water, various accident management measures are in place for supplying a heat removal chain. From the current point of view there is no necessity for external measures to prevent core damage.

Management of severe accidents The regular staffing level is the shift complement, with which all tasks of the duty shift for plant operation and accident management measures can be handled. The plant fire brigade complement is drawn partly from shift personnel from Unit I and Unit II and physical protection personnel. The accident management manual regulates the organizational and technical measures immediately necessary in the event of accidents or damage events that could lead to an increased release of radioactive products or elevated radiation exposure in the environs of the nuclear power plant so that countermeasures can be implemented to protect the personnel and the public.

A1-99

The crisis-management group decides on measures to mitigate or eliminate damage. The interface to the external organizations is provided by the lead members of the taskforce units. Agreements on technical support for emergency-response and protective measures have been concluded with the nuclear support services company, the plant manufacturer and RWE Energie AG. Technical, medical and organizational assistance is also available from the local firefighting services and other emergency-rescue services. Personnel deployed in the nuclear power plant (GKN personnel, external contractors) receive instruction on the alerts, what they signify, and appropriate behavior in the various alert situations. Close contact is maintained with the full-time fire-fighting service based in the city of Heilbronn and the neighboring fire-fighting services. Drills are conducted in order to ensure that the appropriate corrective actions can be implemented from standby if a fault occurs. The operational capability and functional dependability of the accident management equipment are checked at regular intervals and the results are reported to the surveillance authority. The German safety code requires equipment for implementation of the plant-internal accident management measures to be kept in readiness on site, so that the personnel present in the plant can successfully undertake the plant-internal accident management measures within the grace period available. The regulations laid down to this end are part of the accident management manual. Mobile equipment from external sources is organized through the nuclear support services convoy. Under the terms of the existing contract this equipment is kept available round the clock and is ready for transportation. Regulations defining minimum stocks have been set out for all auxiliaries and consumables necessary for operation. The accident management manual covers the management measures and protective measures for minimizing radiation exposure of the personnel. The 5-level protection concept is applied in this respect. It contains the necessary measures for dosimetric monitoring of the personnel, for potential decontamination and for preventing activity transfer. Internal and external means of communication are available to the crisis-management group. If the telephone systems and power supply fail satellite phones and satellite fax are available, along with BOS two-way radios for fire services (BOS, authorities and organizations with safety and security functions). Since the remote shutdown station and the emergency feedwater building are staffed at an early juncture in flooding challenges on account of the long grace periods, measures to be taken in the emergency diesel building and emergency feedwater building are independent of the external conditions. The system and building functions and accident management facilities necessary for implementation of the measures, the requisite personnel and the requisite consumables are available even in beyonddesign-base flooding events. The requisite accident management measures can be undertaken despite even extreme flooding events.

A1-100

If communication equipment is lost communication can be established both internally and externally using mobile two-way radios. Furthermore, the plant has hard-wired connections from the remote shutdown station to the ringroom (annulus), so that communication can be maintained between the remote shutdown station staff and the persons on site. Implementation of the plant-internal accident management measures in the anticipated environmental conditions (high activity in the containment and/or venting) is possible on account of the structural shielding. Underground access routes from the switchgear building to the redundancies of the emergency diesel building and to the remote shutdown station ensure accessibility without hindrance from outside. The crisis-management group center in the administration building is available even if the nuclear power plant site floods. In the event of non-availability of the rooms used by the crisis-management organization, the crisis-management group relocates to the designated external alternative facility. The entire measures package for accident management is designed to withstand influences from earthquake, external events, flooding and station blackout and their super-imposition. The requisite accident management measures can be undertaken despite even extreme flooding events. The requirements for instrumentation and the measured radiological data that enable plant condition to be identified even under core melt conditions are set out in the KTA codes. Even during failure of the power supply to the accident instrumentation, findings can be obtained by means of the sensors. The accident sampling system enables samples to be taken from the reactor containment atmosphere and the reactor containment sump after a beyond-design-base event with core damage. The nuclear power plants GKN I and GKN II are each independent of the other and are operated completely separately from each other. On the basis of the events and scenarios considered, the accident management organization is adequate. No further measures are planned. The introduction of the mitigative accident management manual marked the successful conclusion of the last planned measure. No further measures are planned. The introduction of the mitigative accident management manual marked the successful conclusion of the last planned measure.

A1-101

Accident management measures for core cooling, for maintaining the integrity of the containment and for limiting the release of activity to the environment On the basis of the events and scenarios considered, the implemented preventive and mitigative accident management measures are adequate. The robust containment of GKN I in combination with the accident management measures filtered venting of the reactor containment and passive auto-catalytic recombiners will with very high probability withstand all loads to be expected in severe accidents. On account of the very large free volume inside the containment, moreover, the grace periods are very long. Within the framework of the mitigative accident management manual for GKN I, scenarios with activity release to the environment were studied. Strategies derived from these studies are available to the crisis management group. In this context many measures from the operating manual and the accident management manual that can reduce release to the environment when the systems are available were identified. The analyses within the framework of PSA level 2 have shown that no further improvement of containment integrity is necessary or of practical benefit. Preventive accident management measures before occurrence of fuel-assembly damage are described in the accident management manual. The successful implementation of one of these accident management measures ensures heat removal. In this way the occurrence of fuel-assembly damage is reliably prevented. After occurrence of fuel-assembly damage inside the reactor pressure vessel measures are available which when successfully implemented are designed to 

extend the grace periods



terminate destruction of the core / prevent RPV failure



minimize nuclide release from the reactor containment

For the event of RPV failure consequent to a core meltdown, the mitigative accident management manual proposes and prioritizes various measures from the accident management manual and the operating manual. Given availability, these measures are intended firstly to maintain the function of the containment barrier and secondly to minimum nuclide release and extend grace periods. Adequate measures are available to prevent fuel-assembly damage/meltdown under high pressure. On account of propitious plant characteristics, moreover, passive pressure relief is highly probable. The targeted available measures for pressure relief in the reactor coolant system are set out in the accident management manual and the operating manual and the level of reliability for their implementation is high.

A1-102

To prevent hydrogen reactions, there are 38 passive recombiners inside the containment that recombine hydrogen with atmospheric oxygen without external mediums of any kind whatsoever. Further measures of operations management for hydrogen reduction inside the containment could also be implemented but are unnecessary, because the passive recombiners effectively limit the hydrogen concentration. If the pressure inside the containment were to rise in the course of an accident, overpressure is limited by the containment's venting system. This venting system incorporates a filter system which to a very large extent prevents activity release. Filtered venting of the reactor containment is an accident management measure that can be implemented with a high degree of reliability and which does not require a voltage supply. A re-criticality of the melt inside the containment is not anticipated, because all water supplies consist of borated coolant. If the core melt comes into contact with water, it can only be this coolant. Another operational measure to ensure sub-criticality is the volume control system, which can be used when necessary to introduce borated water from the boration tanks with > 7000 ppm of boron into the reactor coolant system and thus if necessary into the reactor cavity. The probability of retention of a core melt inside the reactor pressure vessel can be increased by the injection of water. If the reactor pressure vessel were to fail on account of a core melt, the melt could react chemically with the concrete of the reactor cavity. This concrete erosion by hot melt is reduced when the melt is covered by water. For this reason, the injection of water into the reactor cavity (via the reactor coolant system) or into the sump is of benefit. A coolable configuration is also feasible for slow accident transients and water coverage of the melt. No precisely specifiable cliff edge effects prior to RPV failure are known. It is evident however that every slowdown in the course of the accident has a clear, positive effect with regard to the grace period preceding RPV failure and for concrete erosion. If heat removal is restored at an early enough juncture, further core destruction can be terminated (cf. TMI-2). The reactor containment venting accident management measure is of special significance with regard to defending the integrity of the containment. No supply functions are necessary for implementation of this measure. The reliability of human implementation of the "filtered venting of the reactor containment" accident management measure was assessed in the framework of level-2 PSA. The probability of failure of implementation was figured at 2.93 x 10-3 (median) and is therefore extremely improbable.

A1-103

Except for reactor containment pressure measurement, no further instrumentation is necessary inside the containment to ensure defense against over-pressurization. The accident management measures can be implemented independently and if necessary in parallel in the two Units. In conclusion it can be stated that with a very high degree of probability, the robust containment of GKN I in combination with the accident management measures filtered venting of the reactor containment and the passive auto-catalytic recombiners will withstand all the loads to be expected within the framework of an accident. The level-2 PSA analyses have shown that no further measures for improving defense of containment integrity are necessary or practical with justifiable outlay. If loss of containment integrity were to occur in the course of an accident with core melt, different systems could be used or measures implemented to reduce the release of activity, depending on the release path. The mitigative accident management manual distinguishes between the possible release paths, provides assistance for their diagnosis and offers adapted strategies. In addition, measures are proposed for reducing release to the environment with measures (if available) as set out in the operating manual/accident management manual. If the heads of the fuel assemblies in the spent fuel pool are exposed, the containment prevents the release of radioactive nuclides to the environment. Under these circumstances, too, the auto-catalytic recombiners limit the hydrogen concentration inside the containment and withdraw the oxygen necessary for combustion. The shielding effect of water coverage in the spent fuel pool is of relevance only for the local implementation of accident management measures for alternative water supply to the pool, for which sufficient time is available. The same preventive measures as in the case of release from the RPV/primary cooling circuit act for a radiological release from the spent fuel pool. Since it is generally viable to assume longer grace periods and an intact containment, there is little likelihood of a significant release to the environment. The loss of cooling of the fuel assemblies in the storage pool can be detected with the existing instrumentation, progressing fuel-assembly damage after loss of cooling can be estimated with the aid of various measurements, comparable with an accident in power operation. In an activity release, air pressure inside the control room is increased to gauge overpressure with a mobile air-handling system, in order to prevent the ingress of activity. Consequently the main control room can remain staffed. In conclusion, regarding reduction of activity releases it can be noted that scenarios with activity release to the environment were examined in depth in the framework of the mitigative accident management manual and strategies have been derived that are

A1-104

available to the crisis-management group. In this context many measures from the operating manual and the accident management manual that can reduce release to the environment when the systems are available were identified.

A1-105

Annex 1

10

GKN II / Neckarwestheim 2

Outline description of the nuclear power plant Plant description The Neckarwestheim Nuclear Power Plant with two pressurized water reactors is located at a closed quarry on the Neckar River nearly 10 km south of the city of Heilbronn. As one of three KONVOI plants manufactured by KWU (Kraftwerk Union), Unit 2 (GKN II) is the youngest reactor in Germany. The PWR plant with a reactor core with 193 fuel assemblies is a typical 4-loop plant with four steam generators and four-leg, spatially segregated safety systems (e.g. 4 emergency-cooling and heat-removal systems, 4 emergency diesels) and four additional emergency feedwater power diesels (SBO diesels). From the thermal output of 3850 MW a gross electric output of 1400 MW can be generated by one high-pressure turbine section and two low-pressure turbine sections with the aid of a turbine generator. The cooling water supply is via a virtually full-closure cooling water system with a hybrid cooling tower, for which only a small volume of water has to be taken from the Neckar and treated. The reactor building is a solid reinforced-concrete structure and along with safetyimportant equipment it also houses the containment, which is of steel. This containment is of full-pressure design and it encloses the primary cooling circuit with its components (including, et. al. the reactor pressure vessel with connecting piping and the main cooling pumps and the steam generators) and the spent fuel pool for spent fuel assemblies. On April 15, 1989, Neckarwestheim NPP Unit 2 commenced commercial power operation and by the end of June 2011 it had generated more than 245 thousand million kWh (gross) of electrical energy. Licensee of the Neckarwestheim Nuclear Power Plant is the EnBW Kernkraft GmbH (EnKK). The Probabilistic Safety Analyses performed up to now within the framework of the periodic safety review for GKN II in accordance with the Probabilistic Safety Analysis Guide publicized by the Federal German Ministry of the Environment (BMU) on August 30, 2005, show level-1 PSA results significantly lower than the IAEA target for plants in operation (< 10-4 per year). Moreover these results are below the recommended target (10-5 per year) for new plants; they also show the balance of the system and plant technology of GKN II. The level-2 PSA results show that the GKN II frequencies for serious fission-product release are extremely low. All in all, the level-1 and level-2 PSA results confirm that GKN II has a balanced safety concept in place and possesses a very high safety level. Culture and guidelines

A1-106

The two Units at the Neckarwestheim site (GKN I and GKN II) and the two at the Philippsburg site (KKP 1 and KKP 2) and the definitively shut down (decommissioned) Obrigheim nuclear power plant (KWO) are operated by the EnBW Kernkraft GmbH (EnKK). The safety of its plants is a top priority for EnKK. The guiding principle is "safety takes priority over economic efficiency". Just like all other German plants, EnKK's nuclear power plants are subject to permanent, independent legal supervision (nuclear supervisory authority). The premise that safety in operation of the plants has topmost priority is also anchored organizationally in EnKK with the management system for nuclear safety, quality assurance, environmental protection and occupational health and safety protection (Integrated Management System), certified in accordance with international standards. This is because for the safety of its nuclear power plants EnKK pursues consequently a comprehensive approach making equal provision for the human, technology and organization factors and their interaction. This approach is aimed to continuous optimization and development in all the above-mentioned fields. On account of the safety philosophy outlined above, the plants are operated on a very high safety level – and this also holds true in international comparison. As a matter of fact, for the four plants GKN I and GKN II and KKP 1 and KKP 2 the current results of the safety reviews required by law that without exception, all 4 plants satisfy all safety requirements. The safety level of the plants is comparable with that required by the International Atomic Energy Agency (IAEA) for new plants. (Note: Legislation does not require a safety review of KWO, which was decommissioned in 2005). In addition, the International Atomic Energy Agency (IAEA) has repeatedly confirmed an EnKK safety standard of the highest international level. On the initiative of EnKK, the agency assessed the Philippsburg (in 2004 and 2006) and Neckarwestheim (in 2007 and 2009) nuclear power plants in the framework of OSART missions. Given the above-mentioned comprehensive aspect of the human, technology and organization factors on safety, OSART missions serve the purpose of obtaining knowledge of the human and organization aspects for a nuclear power plant. On the basis of its findings, the IAEA declared that EnKK evinces "overall a high degree of commitment and leadership in the management of safety and safety culture." Correspondingly the plants achieved very good results measured by international standards. Taken overall, therefore, the comprehensive estimation of the EnKK plants is one of an excellent safety level and high human-factor and organizational safety culture. In order to ensure that this high degree of safety is not only maintained but indeed constantly raised, EnKK invests and optimizes continuously with regard to all three factors. And of course the company will also continue to identify new requirements and implement measures as necessary. And in these endeavors, in future EnKK will continue to pursue its comprehensive approach — in operating and in decommissioning and in dismantling the plants — the approach that makes equal provision for the human, technology and organization factors.

Earthquake For the licensing procedure of GKN II, a maximum ground acceleration of 170 cm/s2 (peak ground acceleration (PGA), rigid body acceleration) was defined for seismic design (maximum potential earthquake or safe shutdown earthquake). A1-107

This definition bases on a deterministic seismic hazard analysis allowing for the special requirements for nuclear power plants with regard to resistance to seismic events. According to today's valuation standards, the design base intensity of I = 8 includes a safety factor of one intensity level. The reasoning on which this is based is that the current KTA procedure identify a design intensity of only I = 7 for the required annual exceedance probability of 10-5 per year. When the original design basis earthquake (I = 8) is assessed by today's viewpoints, an exceedance probability can be assigned at < 10-6 per year. The classical subsoil expertise and the results of metrological studies clarify that the sub-soil is suitable for a nuclear facility, that the conditions at the GKN site can be described uniformly as "rock" and that transient transmission behavior is unified without particular amplification effects. The Neckarwestheim site is located in an area of low seismic activity. The seismic load assumptions have been cross-checked by different groups of experts and are well verified. The extensive studies undertaken within the past years have confirmed the original design base variables as conservative specifications and consequently there have been no findings necessitating a change to the seismic load assumptions for GKN II. The design-base variables also comply with the specifications of KTA 2201.1, now revised as a draft change amendment proposal (status June 2010). In April 2011, all nuclear power plants in Baden-Württemberg underwent safety review by a team of experts. The team of experts was appointed by the government of BadenWürttemberg in direct reaction to the events in Fukushima. The team of experts ascertained that the current expertise on assessment of the seismic load assumptions at the GKN site not only covers the valid KTA rule 2201.1 in scope of the work, but goes beyond it in specifics. In summary it can be stated that the present design basis is adequate and compliant with the state of the art. Moreover, the existing design offers further margins for beyond-design-base events. The structures, systems and components necessary for accident control are designed to provide protection against the design basis earthquake, they have margins and are therefore also robust against beyond-design-base earthquakes. The plant is designed for the design basis earthquake. Consequently, the earthquakeinduced "damage possibilities" are taken duly into account in the design. The "earthquake" external event is controllable with the available design safety systems, even assuming a repair case and a postulated single-mode fault. In addition, the earthquake-conditioned core damage frequency was calculated in the earthquake PSA and the system functions for the control of seismic action were systematically analyzed. The earthquake-conditioned failure of the facilities designed spe-

A1-108

cially against the design basis earthquake contributes no more than insignificantly to the earthquake-conditioned core damage frequency. It was shown that no dominant relevant contributions result from the earthquake-conditioned failure of structures, systems and components. Consequently, no cliff edge effects are identifiable even in relation to earthquake events of very low probability. The failure in consequence of earthquake of structures, systems and components not essential in an earthquake event was also taken into account in design. Either their design was directly to sustain a basic design earthquake or proof was forthcoming that the effects of failure remain within limits and do not lead to an impermissible restriction of accident control. In accordance with design specifications, power supply form the emergency power systems in the event of a design basis earthquake (DBE) and simultaneous failure of all off-site power grid connections and generator-supply, is off the generators of the D1 emergency power system. In addition, a further supply is available through the D2 emergency power system (SBO diesels). As regards accessibility, the damage for the design basis earthquake on the powerplant site and off-site would not impermissibly restrict the availability of the requisite personnel and supply facilities. The licenses and modification licenses and subsequent official requirements and provisions including the documents cited in the decisions are deemed to constitute the basis for licensing. In these decisions the licensing authority has set out the legal requirements in the form of licensing documents and auxiliary conditions for the installation and operation of the plants. The process for compliance with the basis for licensing with regard to key systems, component and structures for the earthquake service condition does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The earthquake external event is a design basis accident that is controlled with the permanently installed safety systems provided for the purpose. No mobile equipment and supply functions are necessary. Both within the framework of the continuous and of the periodic reviews and the results of the special reviews initiated by the events in Fukushima, no deviations from the basis for licensing were identified. By way of arriving at an estimate of the earthquake intensity that could lead to severe core damage, the conservative assumptions and margins in the models along the chain from determination of the design basis earthquake to the plant as-is are considered and evaluated. The studies revealed no indications of effects which, in the event of a beyond-design-base earthquake, would lead to step-change deterioration (cliff edges)

A1-109

in safety-relevant boundary conditions (e.g. cross-redundancy failure on account of flooding, destruction by consequential explosions, etc.). Evaluation on the basis of the margins as indicated shows that even given a beyonddesign-base earthquake with an intensity level I = 9, no global loss of safety-relevant functions is anticipated. Given the enormous increase of the effects that this entails, no cliff edge effects are anticipated. At a further increase of intensity to I = 10 for the purposes of this study, relevant earthquake-related failures could not be precluded. A relevant event of this nature would be, for example, structural failure of the reactor building. This constitutes a potential cliff edge effect, but one that is hypothetical because the likelihood of its occurrence does not arise until event intensities are in the region of I > 9. Given the geological and tectonic boundary conditions and the low seismicity at the site, earthquakes of such intensity are virtually precluded. The intensity occurrence rate for I > 9 for the site is in the magnitude of less than 10-8 per year. With regard to hazards due to severe core damage as the result of a beyond-designbase earthquake, it is to be noted that for GKN II, even in the event of the design basis earthquake being exceeded significantly, there is no likelihood of the loss of safety functions and, on account of site conditions and the robustness of the plant, there is no likelihood of the occurrence of cliff edge effects. This also applies unreservedly for containment boundary integrity. The reactor building of GKN II is a solid reinforced-concrete structure integrating a spherical steel enclosure as the containment boundary. Large-area failure of the steel enclosure can be considered in this context as a hypothetical cliff edge effect that can lead to loss of containment boundary integrity. However, this is not to be reckoned with unless an earthquake event reaches a magnitude in the intensity range I > 9, an occurrence that can be precluded on account of the geological and tectonic boundary conditions and the low seismicity at the site. Postulating an earthquake-induced sudden rupture of an upriver water-retention structure (lock, dike), on account of its height the Besigheim lock located at a distance of 8 km is definitive for all downstream water-retention structures on the Neckar. On account of the geographic situation, under these circumstances there would be no occurrence of flooding that would affect the safety of the power plant. On account of the design of the plant and the seismic conditions at the site, robustness against seismic events is high. Consequently, there is no need for further measures.

External Floods The design basis flood-water level for the plant was calculated at 172.66 meters above sea level. The flooding protection height of the station was specified as 173.5 meters above datum sea level with provision made for a freeboard margin, so it is 84 cm higher than the design basis flooding level. The methodology for calculating the design basis flooding level is set out primarily in KTA 2207 "Protection of nuclear power plants against flooding". This regulation stipulates an exceedance probability of 10-4 per year for overtopping of the design basis flooding level. A1-110

The design basis flood was checked on the basis of better computational models and an extended data base in 2003 and again in 2007. These studies confirmed the design basis flooding level calculated in 1981. When the plant was designed the flooding protection height was selected to provide a high safety margin over the design basis flooding level. This corresponds to an exceedance probability of 10-5 per year. The protection of safety-relevant plant equipment necessary for shutdown of the reactor, for the residual heat removal and for inadmissible release of radioactivity consists of the protection of the safety-relevant buildings in which these safety-relevant plant equipment and their supply systems are located. These buildings are protected structurally up to a protection height of 173.5 meters above datum sea level. The buildings forming part of the scope of protection are sealed by the structural use of water-impermeable concrete. The outsides, moreover, are sealed against hydraulic pressure below ground level. The cable and pipe penetration assemblies in safety-important buildings are of watertight and pressure-tight design. The entries of relevant buildings are either sited at elevations above the protection height of 173.5 meters above datum sea level or they have temporary or permanent flooding bulkheads that are in place at all times. The relevant procedures for the defense-in-depth measures to prevent flood damage are set out in the operating manual. The access routes to the power plant site are mostly passable for vehicular traffic; the traffic routes on site and to the accesses to the buildings are not significantly restricted. Human-resource availability and accessibility for equipment are ensured and safetyrelevant measures (operating actions and repairs) can be undertaken without restriction. The process regarding systems, components and structures necessary for the flooding load does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The process with regard to mobile facilities does not differ from the general process for ensuring compliance with the valid basis for licensing, as described above. Both within the framework of the continuous and of the periodic reviews and driven by special reviews initiated as a result of the events in Fukushima, no deviations from the basis for licensing were identified.

A1-111

Very many barriers are in place and would have to fail before core damage could occur. Flood water would have to rise to the air intake of the D2 diesels (SBO diesels) approximately 5 meters above the elevation of the power plant before the secondary ultimate heat sink would fail. This intake is approximately 4 meters above the existing protection height so the occurrence need not be assumed. On account of the plant's existing high robustness, extending far past beyond-design range, no further measures to increase the plant's robustness against flooding are envisaged.

Extreme weather conditions Plant design took into account various weather conditions (e.g. extreme river-water and air temperatures, wind and snow loads, rainstorm, lightning). The extreme weather conditions in the summer of 2003 initiated a review of whether safety-relevant design and verification parameters would have to be adjusted to allow for extreme weather conditions. The outcome was that the existing design margins of the safety-relevant key structural and mechanical facilities also cover extreme weather. On account of their low frequency of occurrence and the limited impacts on the plant's safety system, extreme weather conditions do not contribute significantly to the overall frequency of hazard and core-damage states. Most combinations can be precluded on the basis of their expected frequency of occurrence. Only combinations that are in causal relationship have to be considered, such as snow and low temperatures or snow and storm. However, no extraordinary hazard to the plant could be identified for these combinations. The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather loads. There are no safety-relevant impacts due to extreme weather influences. On account of the robustness of the building structures in particular (design to resist earthquake, aircraft crash and explosion blast wave), exceeding the design-base values results in no impacts or only limited impacts on the plant's safety system. There are high design margins against extreme weather conditions. Further measures to increase robustness are not necessary.

Loss of power In the event of extensive grid outages, simultaneous loss of main-grid and off-site power supply connections cannot be excluded. Consequently such a loss of off-site power was taken into account in full of scope in the technical design of the power plant. No

A1-112

safety systems are needed for control of this plant transient. Given turbine and generator system operation in accordance with design specifications, house load can be covered for an unlimited period of time. This simultaneous non-availability of the main off-site grid supply and the back-up supply and failure of load shedding to auxiliary station supply constitutes what is known as loss of offsite power. The loss of offsite power condition is a design base fault for which no accident management measures are necessary in this context. There is no influencing by the second Unit on the site, GKN I, on account of the plant-specific layout of the safety systems and the necessary building infrastructure. In summary it can be stated that utilizing all plant-internal fuel reserves, without external support endurance of a sustained loss of offsite power condition over a period of more than 7 days is ensured. The failure of the quadruple-redundancy D1 emergency diesels is an accident condition that has to be assigned to the beyond-design-base range. Nevertheless, this event was taken into consideration in plant planning. The D2 emergency feedwater system (SBO diesels), which is designed against external events in addition, is available for this purpose. The failure of the D1 emergency diesels and the D2 emergency feedwater diesels (SBO diesels) constitutes total failure of the three-phase supply. The accident management measure secondary-side “bleed and feed" is in place for controlling the effects of a total failure of the three-phase supply. In a total failure of the three-phase power supply (failure of the D1 emergency diesels and the D2 emergency feedwater diesels), the primary aim of the shift is to sustainably maintain heat removal to the secondary side and have reestablishment of a threephase supply implemented as soon as possible by means of accident management measures. There are various accident management procedures in place for restoring a three-phase power supply with mobile or special external equipment. Independently of the above, precautions have been implemented by which truck-transported emergency power generators can be procured within 4 hours. The measures for restoring the substitute power supply as set out in the accident management manual are designed such that the procedures in question can be handled by the shift personnel present on their own. In principle therefore no external support is necessary. The question posited as to the time available for the restoration of regular core cooling can be answered in general terms with a figure of about one day, without the spent fuel pool heating up in an unacceptable way. However, there is no occurrence of direct damage to the core fuel. All events in the EU stress test, which also cover extremely unlikely beyond-designbase accidents and which accordingly are to be assessed, are sustainably managed by GKN II without external support, so there are no grounds for apprehending fuel assembly damage in the reactor core or the spent fuel pool.

A1-113

The engineered plant precautions of particular significance in this respect are the various permanently installed multiple-redundancy and diversified emergency diesel systems and supplementary accident management measures corresponding to the defense-in-depth safety concept. Accordingly, in a failure of the auxiliary electrical power supply a failure of the quadruple-redundancy emergency diesels (D1 emergency diesel system) is controlled by the quadruple-redundancy emergency feedwater diesels (D2 emergency feedwater system, SBO diesels). This design was chosen so that failure of the emergency diesels, inter-nationally designated "station blackout", would be controlled and therefore does not have to be assumed. The adequacy of defense against loss of power supply is therefore established as being in full of scope. Without refueling from off site, the fuel reserves stocked for the diesel generators ensure operation capability for a period so long that even under the difficult boundary conditions for accessibility of the power plant site defined by ENSREG, a considerable time reserve of several days can be ensured for refueling from off site. The personnel directly needed are always present on site as shift personnel. In principle external personnel or external mobile equipment are not necessary. On account of the margins for safeguarding the power supply as indicated, also taking superimposed events (earthquake, flooding, extreme weather conditions) into consideration, no need for measures for further increasing robustness can be identified within the framework of this reassessment. Conversely, the events in the Fukushima nuclear power plant reconfirm in a special way the robustness of the design principles under discussion here for the GKN II plant. Notwithstanding the above, for the present a mobile emergency power diesel generator is kept on site with the objective of even further developing the robustness of the three-phase power supply and thus also the directvoltage power supply. In addition, the concept of this mobile power supply is to be further developed in technical and administrative respects.

Loss of ultimate heat sink and assured auxiliary service water system is available As the ultimate primary heat sink for the safety-relevant components, the GKN II nuclear power plant has a 4 x 50 % auxiliary service water system with separate cell coolers. This system is completely independent of the river-water supply. On account of the design with multiple-cell cooling towers, the assured auxiliary service water system is not affected in any way whatsoever by a failure of the receiving water or river. For a non-availability of the assured auxiliary service water system, moreover, the plant also has an emergency auxiliary service water system that can be operated in recirculating cooling mode with river water. In terms of the heat sink used, but also in terms of process engineering, the two systems are diverse in their design. The assured auxiliary service water system with its associated cell cooler systems is not affected by a failure of the receiving water or river. On account of the technical independence of the emergency auxiliary service-water system as described above, in principle there is no time limit for operation of this heat removal chain as long as its electricity supply is maintained.

A1-114

Given the possibilities as described, no external measures are necessary for avoidance of fuel assembly damage and consequently, such are not envisaged. In a total failure of the assured auxiliary service water system and the emergency auxiliary service water system, there is no time restriction with regard to the feedwater supply for the steam generators. The time available for restoration of a failed heat sink is approximately one day. Direct damage of the core fuel, in contrast, is not to be apprehended. Neither blockage of the receiving water or the circulating water return, nor other problems affecting the supply of river water lead to failure of the assured auxiliary service water system of GKN II. The emergency auxiliary service water system is to be considered as an alternative heat sink to the auxiliary service water system and it too is unaffected by extreme low-water levels. It is designed against external events (flooding, explosion blast wave, etc.). In summary, it can be stated that on account of the design of the assured auxiliary service water system, and given the diversity of the deep-intake emergency auxiliary service water system, "external event" and all instances detrimental to the receiving water or the operational intake structure would be covered. This also applies for beyonddesign-base flooding with superimposition of station blackout. The robustness of the GKN II plant against loss of the assured auxiliary service water is considered adequate on the basis of findings of the previous analyses. Consequently, not further measures to increase robustness need be derived. With regard to heat removal from the spent fuel pool, evaporation cooling is to be incorporated into the accident management concept.

Loss of ultimate heat sink combined with station blackout In a failure of the D1 emergency diesels, the D2 emergency feedwater diesels (SBO diesels) are available. In this case, too, soft trip of the plant to the "cold standby" condition is possible at any time. Demand-optimized operation of the D2 emergency feedwater diesels (SBO diesels) extends the fuel supplies to a period of at least seven days. Heat removal via the emergency auxiliary service water supply is possible virtually without time limit, as long as the system's energy supply via the D2 emergency power system (SBO diesels) is maintained. There are no grounds for apprehending loss of controlled heat removal from the core or the spent fuel pool. No external measures to avoid fuel assembly damage are necessary. The event is fully controlled with the emergency auxiliary service water system supply and the D2 emergency feedwater diesels (SBO diesels). The event “failure of the ultimate heat sink combined with station blackout" is fully controlled with the emergency auxiliary service water system supply and the D2 emergency feedwater diesels (SBO diesels). No measures for increasing robustness beyond plant design as-is are necessary.

A1-115

Management of severe accidents The administrative procedures ensure at all times that the duties of the shift personnel including the accident management measures can be performed. The plant fire brigade's rapid deployment team is composed of shift personnel from Unit 1 and Unit 2. There are also standby duty rosters for the plant fire brigade and other usual standby duty rosters for the specialist departments (Maintenance, Health Physics, etc.). In the power plant organization for accident management the principle is that the competences and responsibilities set out in the personnel plant organization retain their validity in principle even in accident management situations. The power plant's accident management organization consists of the crisismanagement group directed by the manager of the Unit affected, taskforce units each directed by their appointed lead member of the emergency management group, the plant fire brigade and the paramedics team. The crisis-management group decides on measures to mitigate or eliminate damage on occurrence of a safety-severe event. To ensure fast response, respective functional post-holders are on call. Staffing of the posts for convocation of the accident management organization is ensured at all times. The interface to the external organizations is provided by the lead members of the taskforce units. Agreements with external organizations are in place for the provision of technical support for emergency management and defense measures. These organizations include the nuclear support services company, the plant manufacturer and RWE Energie AG. Technical, medical and organizational assistance is also available from the local firefighting services and other emergency-rescue services. Personnel deployed in the nuclear power plant receive instruction on the alerts, what they signify, and appropriate behavior in the various alert situations. Regular contact is maintained with the full-time fire-fighting service based in the city of Heilbronn and the neighboring fire-fighting services. Drills are conducted in order to ensure that the appropriate corrective actions can be implemented from standby if a fault occurs. The operational capability and functional dependability of the accident management equipment are checked at regular intervals and the results are reported to the supervisory authority. The German safety code requires equipment for implementation of the plant-internal accident management measures to be kept in readiness on site, so that the personnel present in the plant can successfully undertake the plant-internal accident management measures within the grace period available. The corresponding regulations for provision and utilization of the equipment are part of the accident management manual. Mobile equipment from external sources is organized through the nuclear support services convoy. Under the terms of the existing contract this equipment is kept available round the clock and is ready for transportation.

A1-116

Regulations ensuring minimum stocks have been defined for all consumables and auxiliaries necessary for operation. The accident management manual also covers the management measures and protective measures for minimizing radiation exposure of the personnel. The multiple-level protection concept is applied in this respect. It contains the necessary measures for dosimetric monitoring of the personnel, for potential decontamination and for preventing activity transfer. Facilities for internal and external communication are available to the crisismanagement group. In the event of failure of the telephone networks and the power supply, communication channels via satellite phone, satellite fax and two-way radios of the fire brigade remain usable on the site. Since the remote shutdown station and the emergency feedwater building are staffed at an early juncture in flooding challenges on account of the long grace periods, measures to be taken in the emergency diesel building and emergency feedwater building are independent of the external conditions. All the emergency equipment in the protected areas or buildings remains available even in beyond-design-base high-water events. In summary it can be stated that in extreme flooding events even accident management measures, if necessary, can be implemented. If communication equipment is lost communication can be established both internally and externally using mobile two-way transceivers and two-way radios. Moreover, the plant has hard-wired connections for ensuring voice communications between the remote shutdown station staff and the individuals on site. The accident management manual contains the local-dosage and contaminationdependent measures and action options in accordance with the multiple-level protection concept set out in the manual. Implementation of the plant-internal accident management measures in the anticipated environmental conditions is possible on account of the structural shielding. Separate access routes from the switchgear building to the emergency feedwater building and to the remote shutdown station ensure accessibility without hindrance from outside. The rooms assigned to the crisis-management organization are available even if the power plant site floods. In the event of non-availability of the rooms used by the crisismanagement organization, the crisis-management group relocates to the designated external alternative facility. The entire measures package for accident management is designed to withstand influences from earthquake, external events, flooding and station blackout and their super-imposition. In summary it can be stated that even with extreme high-water conditions or earthquake events, the requisite accident management measures can be implemented. The equipment for implementation of the accident management preparedness concept is connected, insofar as necessary, to the emergency power supply.

A1-117

The requirements for instrumentation and the measured radiological data that enable plant condition to be identified clearly even under core meltdown conditions are defined in accordance with the requirements of the Nuclear Engineering Code. Even during failure of the power supply to the accident instrumentation, findings can be obtained by means of the sensors. The accident sampling system enables samples to be taken from the atmosphere of the reactor containment and from the containment sump after a beyond-design-base event with core damage. Appropriate validated accident management procedures are part of the accident management manual. The nuclear power plants GKN I and GKN II are each independent of the other and are operated completely separately from each other. On the basis of the events and scenarios considered, the accident management organization is deemed adequate. Since the accident management measures necessary for core cooling can be implemented even under the adverse conditions assumptions, no further measures are planned with regard to the effectiveness of accident management. The introduction of the mitigative accident management manual is due for completion in the near future.

Accident management measures for core cooling, for maintaining the integrity of the containment and for limiting the release of activity to the environment Preventive accident management measures before occurrence of fuel-assembly damage are described in the accident management manual. The successful implementation of one of these accident management measures ensures heat removal. In this way the occurrence of fuel-assembly damage is reliably prevented. After occurrence of fuel-assembly damage inside the reactor pressure vessel measures are available which when successfully implemented are designed to 

extend the grace periods,



terminate destruction of the core / prevent RPV failure, and



minimize nuclide release from the reactor containment.

In the event of the RPV failing in consequence of a core meltdown, the GKN I mitigative accident management manual proposes and prioritizes various measures from the accident management manual and the operating manual. Given availability, these measures are intended firstly to maintain the function of the containment barrier of defense and secondly to minimize nuclide release and extend grace periods. These measures are also available for GKN II. Adequate measures are available to prevent fuel-assembly damage/meltdown under high pressure. On account of propitious plant characteristics, moreover, passive venting of the reactor cooling loop is highly probable.

A1-118

The targeted available measures for venting in the reactor coolant system are set out in the accident management manual and the operating manual and the level of reliability for their implementation is high. To prevent hydrogen reactions, there are 58 passive recombiners inside the containment that recombine hydrogen with atmospheric oxygen without external mediums of any kind whatsoever. Further measures of operations management for hydrogen reduction inside the containment are propitious but are unnecessary, because the passive recombiners effectively limit the hydrogen concentration. If the pressure inside the containment rises in the course of an accident, over-pressure is limited by the containment's venting system. This venting system incorporates a filter system which to a very large extent prevents activity release. Filtered venting of the reactor containment is an accident management measure that can be implemented with a high degree of reliability and which does not require a voltage supply. A recriticality of the melt inside the containment is not anticipated, because all water supplies consist of borated coolant. If the core melt comes into contact with water, it can only be this coolant. Another operational measure to ensure sub-criticality is the extra borating system, which can be used when necessary to introduce borated water from the boration tanks with > 7000 ppm of boron into the reactor coolant system and thus if necessary into the reactor cavity. The probability of retention of the core melt inside the reactor pressure vessel can be increased by the injection of water. If the reactor pressure vessel were to fail on account of a core melt, the melt could react chemically with the concrete of the reactor cavity. This concrete erosion by hot melt is reduced when the melt is covered by water. For this reason, the injection of water into the reactor cavity (via the reactor coolant system) or into the sump is of benefit. A coolable configuration is also feasible for slow accident transients and water coverage of the melt. No precisely specifiable cliff edge effects prior to RPV failure are known. It is evident however that every slowdown in the course of the accident has a clear, positive effect with regard to the grace period preceding RPV failure and for concrete erosion. If heat removal is restored at an early enough juncture, further core destruction can be terminated. The reactor containment venting accident management measure is of special significance with regard to defending the integrity of the containment. No supply functions are necessary for implementation of this measure.

A1-119

The reliability of human implementation of the "filtered venting of the reactor containment" accident management measure was assessed in the framework of level-2 PSA. The failure probability for implementation was figured at 5.6 x 10-3 (median) and is therefore extremely improbable. Except for reactor containment pressure measurement, no further instrumentation is necessary inside the containment to ensure defense against over-pressurization. This accident management measure can be implemented independently and if necessary in parallel in the two Units. In conclusion it can be stated that with a very high degree of probability, the robust containment of GKN II in combination with the "filtered venting of the reactor containment" accident management measure and the passive auto-catalytic recombiners will withstand all the loads to be expected within the framework of an accident. On account of the very large free volume inside the containment, moreover, the grace periods are very long. The level-2 PSA analyses have shown that no further measures for improving defense of containment integrity are necessary or practical with justifiable outlay. If loss of containment integrity occurs in the course of an accident with core melt, different systems could be used or measures implemented to reduce the release of activity, depending on the release path. The mitigative accident management measures manual of GKN I distinguishes between the possible release paths, and provides assistance for their diagnosis. The diagnosis strategy is transferrable to GKN II. In addition, measures are proposed for reducing release to the environment with measures as set out in the plant operating procedures. If the heads of the fuel assemblies in the spent fuel pool are exposed, the containment prevents the release of radioactive nuclides to the environment. Under these circumstances, too, the auto-catalytic recombiners limit the hydrogen concentration inside the containment and withdraw the oxygen necessary for combustion. The shielding effect of water coverage in the spent fuel pool is of relevance only for the implementation of accident management measures for alternative water supply to the pool, for which sufficient time is available. The same preventive measures as in the case of release from the RPV/primary cooling circuit act for a radiological release from the fuel assembly pool. Since it is generally viable to assume longer grace periods and an intact containment, there is little likelihood of a significant release to the environment. The loss of cooling of the fuel assemblies in the spent fuel pool can be detected with the existing instrumentation, progressing fuel-assembly damage after loss of cooling can be estimated with the aid of various measurements, comparable with an accident in power operation.

A1-120

The main control room can remain staffed in the event of an accident with core melt on account of the "main control room inlet air filtration - positive pressurization“ accident management measure.

A1-121

Annex 1

11

KKP-1 / Philippsburg 1

Outline description of the nuclear power plant Plant description The Philippsburg 1 Nuclear Power Plant (KKP 1) is located directly on the east (right) bank of the Rhine at river kilometer 389, approximately 30 km north of Karlsruhe and ap-proximately 10 km south of Speyer. It shares the site with the power plant Unit KKP 2, a pressurized water reactor with a gross electrical output of 1468 MW. The KKP 1 NPP is an AEG series 1969 boiling water reactor, having a reactor core with 580 fuel assemblies. Thermal output is 2575 MW, from which one high-pressure turbine and two low-pressure turbines generate 926 MW gross electrical output. Cooling water supply is from the Rhine. The reactor building encloses the safety-important equipment of the plant and is a solid reinforced-concrete structure. Inside the reactor building is the containment, made of steel several centimeters thick and of full-pressure design and enclosing the reactor pressure vessel and the pressure suppression pool. In the year 1979, Philippsburg 1 NPP entered commercial power operation and when the moratorium commenced in mid-March 2011 it had generated more than 193 thousand million kWh of electrical energy. Licensee of the Philippsburg 1 Nuclear Power Plant is EnBW Kernkraft GmbH. The Probabilistic Safety Analyses performed up to now within the framework of periodic safety review for KKP 1 show level-1 PSA results significantly lower than the IAEA target for core-damage frequency (< 10-4 per year) for plants in operation. Moreover these results are below the recommended target (10-5 per year) for new plants; they also show the balance of the system and plant technology of KKP 1. The level-2 PSA conducted within the framework of method validation by the Gesellschaft für Anlagen- und Reaktorsicherheit mbH (GRS) for series 69 BWRs for the period up to 2007 shows that series 69 BWRs evince a very low frequency for serious fission-product releases. All in all, the level 1 and level 2 PSA results confirm that KKP 1 has a balanced safety concept in place and possesses a very high level of safety. Culture and guidelines The two Units at the Neckarwestheim site (GKN I and GKN II) and the two at the Philippsburg site (KKP 1 and KKP 2) and the definitively shut down (decommissioned) Obrigheim nuclear power plant (KWO) are operated by the EnBW Kernkraft GmbH (EnKK). The safety of its plants is a top priority for EnKK. The guiding principle is "safety takes priority over economic efficiency". Just like all other German plants, EnKK's nuclear power plants are subject to permanent, independent legal supervision (nuclear supervisory authority). The premise that safety in operation of the plants has topmost priority is also anchored organizationally in EnKK with the management system for nuclear safety, quality asA1-122

surance, environmental protection and occupational health and safety protection (Integrated Management System), certified in accordance with international standards. This is because for the safety of its nuclear power plants EnKK pursues consequently a comprehensive approach making equal provision for the human, technology and organization factors and their interaction. This approach is aimed to continuous optimization and development in all the above-mentioned fields. On account of the safety philosophy outlined above, the plants are operated on a very high safety level — and this also holds true in international comparison. As a matter of fact, for the four plants GKN I and GKN II and KKP 1 and KKP 2 the current results of the safety reviews required by law that without exception, all 4 plants satisfy all safety requirements. The safety level of the plants is comparable with that required by the International Atomic Energy Agency (IAEA) for new plants. (Note: Legislation does not require a safety review of KWO, which was decommissioned in 2005). In addition, the International Atomic Energy Agency (IAEA) has repeatedly confirmed an EnKK safety standard of the highest international level. On the initiative of EnKK, the agency assessed the Philippsburg (in 2004 and 2006) and Neckarwestheim (in 2007 and 2009) nuclear power plants in the framework of OSART missions. Given the above-mentioned comprehensive aspect of the human, technology and organization factors on safety, OSART missions serve the purpose of obtaining knowledge of the human and organization aspects for a nuclear power plant. On the basis of its findings, the IAEA declared that EnKK evinces "overall a high degree of commitment and leadership in the management of safety and safety culture." Correspondingly the plants achieved very good results measured by international standards. Taken overall, therefore, the comprehensive estimation of the EnKK plants is one of an excellent safety level and high human-factor and organizational safety culture. In order to ensure that this high degree of safety is not only maintained but indeed constantly raised, EnKK invests and optimizes continuously with regard to all three factors. And of course the company will also continue to identify new requirements and implement measures as necessary. And in these endeavors, in future EnKK will continue to pursue its comprehensive approach — in operating and in decommissioning and in dismantling the plants — the approach that makes equal provision for the human, technology and organization factors.

Earthquake The Philippsburg site is in an area of low seismic activity. For the licensing procedure of KKP 1, a maximum ground acceleration of 150 cm/s2 (peak ground acceleration (PGA), rigid body acceleration) was defined for seismic design (maximum potential earthquake or safe shutdown earthquake). For the upgrades planned for and to be implemented after 1988 (e.g. replacement of the feedwater pipe), it was stipulated that the load assumptions for the design basis earthquake was to be based on floor response spectra on the basis of a ground response spectrum with maximum ground acceleration of 210 cm/s2, with the existing spectrum characteristics for KKP 1 being maintained.

A1-123

The design basis earthquake is derived from a seismic event having its epicenter more than 100 km from the location. The upper limit for the intensity of this earthquake is I=7.5 (I=VII-VIII on the MSK scale). Vis-à-vis the actual historically observed seismic activity in the immediate vicinity of the site, this signifies an increase of at least one level of intensity. The probability for the design basis earthquake is less than 10-5 per year. It has been established in extensive studies that the foundation soil of the power plant evinces all the requisite properties and in particular soil liquefaction due to dynamic loads and irregular settlement at safety-important buildings can be precluded. In order to obtain the ground response spectra, the characteristic properties of the subsoil at the site and at a point close to the power plant and the natural ground disturbance were recorded in a measurement campaign that extended over a period of several months, and analyzed in the form of spectral H/V relations. The results were used to assess the dominant site frequencies, the relation of horizontal to vertical components of the spectrum, and the subsoil classification (thick sediment strata extending to depths of several hundred meters). The Philippsburg site is located in an area of low seismic activity. The seismic load assumptions have been cross-checked by different groups of experts and are well verified. In this context the deterministic hazard analyses were supplemented by probabilistic seismic site analyses. It was demonstrated that the increase in maximum ground acceleration from the original figure of 150 cm/s2 to 210 cm/s2 is covered by the plant's design margins. The extensive studies undertaken within the past years have confirmed the currently specified design base variables as conservative specifications and consequently there are no findings necessitating a change to the current seismic load postulations for KKP 1. The design-base variables also comply with the specifications set out in KTA 2201.1, now revised as a draft change amendment proposal (status June 2010). In April 2011, all nuclear power plants in Baden-Württemberg underwent safety review by a team of experts. The team of experts was appointed by the government of BadenWürttemberg in direct reaction to the events in Fukushima. The team of experts ascertained that the current expertise on assessment of the seismic load assumptions at the KKP 1 site not only covers the valid KTA rule 2 2201.1 in scope of the work, but goes beyond it in specifics. In summary it can be stated that the present design basis is adequate and compliant with the state of the art. Moreover, the existing design offers further margins for beyond-design-base events. The structures and systems necessary to ensure the requisite safety functions are of earthquake-proof design and build. Moreover, the structures the failure of which could cause impermissible consequential damage to these safety-relevant structures or be detrimental to the boundary conditions of the radiological accident computations for the earthquake service condition are stable. The plant is designed for the design basis earthquake. The ability to dissipate the increase in maximum ground acceleration has been evidenced. Consequently, earth-

A1-124

quake-induced "damage possibilities" are duly provided for in the design. The "earthquake" external event is controllable with the available design safety systems, even assuming a repair case and a postulated single-mode fault. The failure in consequence of earthquake of structures, systems and components not essential in an earthquake event was also taken into account in design. Either their design was directly to sustain a basic design earthquake event or proof was forthcoming that the effects of failure remain within limits and do not lead to an impermissible restriction of the accident control. In accordance with design specifications, a total of 6 emergency power diesels are available to maintain the power supply in a design basis earthquake and total failure of the entire off-site power supply. 2 emergency power diesel generators supply each of the two safety-important 6-kV supply busbars (busbar BU and busbar BV) of the Unit. Independently of this arrangement, there is an emergency power diesel generator (SBO diesel) available for each of the two redundancies of the independent sabotage and DBA protection system (USUS system). As regards accessibility, the damage postulated for the design basis earthquake on the power-plant site and off-site would not impermissibly restrict the availability of the requisite personnel and supply facilities. The licenses and modification licenses and subsequent official requirements and provisions including the documents cited in the decisions are deemed to constitute the basis for licensing. In these decisions the licensing authority has set out the legal requirements in the form of licensing documents and auxiliary conditions for the installation and operation of the plants. The process for compliance with the basis for licensing with regard to necessary systems, component and structures for the earthquake service condition does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The earthquake external event is a design basis accident that is controlled with the permanently installed safety systems provided for the purpose. No mobile equipment and supply functions are necessary. Both within the framework of the continuous and of the periodic reviews and the results of the special reviews initiated by the events in Fukushima, no deviations from the basis for licensing were identified. By way of arriving at an estimate of the earthquake intensity that could lead to severe core damage, the conservative assumptions and margins in the models along the chain from the determination of the design basis earthquake to the plant as-is are considered and evaluated. The studies revealed no indications of effects which, in the event of a beyond-design-base earthquake, would lead to step-change deterioration (cliff edges)

A1-125

in safety-relevant boundary conditions (e.g. cross-redundancy failure on account of flooding, destruction by consequential explosions, etc.). Evaluation on the basis of the margins as indicated shows that even given a postulated beyond-design-base earthquake with an intensity level I = 9, no global loss of safetyrelevant vital functions is anticipated. Given the enormous increase of the effects that this entails, no cliff edge effects are anticipated. At a further increase of intensity to I = 10 for the purposes of this study, relevant earthquake-related failures could not be precluded. A relevant event of this nature would be structural failure of the reactor building. This constitutes a potential cliff edge effect, but one that is hypothetical because the likelihood of its occurrence does not arise until event intensities are in the region of I > 9. Given the geological and tectonic boundary conditions and the low seismicity at the site, earthquakes of such intensity are virtually precluded. The intensity occurrence rate for I > 9 for the site is in the magnitude of 10-8 per year. With regard to hazards due to severe core damage as the result of a beyond-designbase earthquake, it is to be noted that for KKP 1, even in the event of the design basis earthquake being exceeded significantly, there is no likelihood of the loss of vital safety functions and, on account of site conditions and the robustness of the plant, there is no likelihood of the occurrence of cliff edge effects. This also applies unreservedly for containment boundary integrity. The reactor building of KKP 1 is a reinforced-concrete structure integrating designed to withstand earthquake, integrating a spherical steel enclosure as the containment boundary. Largearea failure of the steel enclosure can be considered in this context as a hypothetical cliff edge effect that can lead to loss of containment boundary integrity. However, this is not to be reckoned with unless an earthquake event reaches a magnitude in the intensity range I > 9, an occurrence that can be precluded on account of the geological and tectonic boundary conditions and the low seismicity at the site. Assuming a river-dam and lock rupture in consequence of an earthquake, a surge could be expected to descend from upstream. The calculations for the design basis flooding level makes provision for the surge occurring in the event of destruction of water-retention structures upstream from the power plant site. On account of the location and the retained water volumes behind these structures, this surge is minor in comparison with spates from precipitation and snow thaws. It is below the site elevation of the power plant and therefore remains without consequence. On account of the design of the plant and the seismic conditions at the site, robustness against seismic events is high. Consequently, there is no need for further measures.

External Floods The design basis flood-water level for the plant was fixed at 99.9 meters above datum sea level (99.4 meters above datum sea level +0.5 meter safety margin). The design base water level is 0.4 meter lower than the elevation of the power plant site and at least 0.55 meter below the power plant entrances. The power plant site is additionally protected against the Rhine and Old Rhine Rivers by a dam (crest 100.5 meters above datum sea level). A1-126

An extreme scenario was modeled for the location with the discharge derived on the basis of the design basis high water level and an adverse choice of dam rupture points and boundary conditions. This extreme scenario returns water levels around 100.6 meters above datum sea level for the area of the KKP site. This is a beyond-design-base flood level well in excess of the design basis flooding level calculated in accordance with KTA 2207. In the beyond-design-base range, therefore, a water level of 101.1 meters above datum sea level (100.6 meters + 0.5 meter addition by analogy with KTA 2207) constitutes the basis. On account of the structural design of the buildings in which the necessary systems are located and with prepared temporary flood protection measures set out in the operating manual, protection is ensured against flooding up to the water level of 101.1 meters above sea level. The methodology for calculating the design basis flooding level is set out primarily in KTA 2207 "Protection of nuclear power plants against flooding". This regulation stipulates an exceedance probability of 10-4 per year for overtopping of the design basis flooding level. The design basis flooding level was defined in compliance with KTA 2207. It was reassessed in 2004, in the context of a modification of KTA 2207 and in the framework of a regulatory supervisory focus on the influence of extreme weather conditions, and again in 2009 in the context of compilation of the flooding endangerment maps for Baden-Württemberg. The adequacy of design was confirmed. Supervisory accompaniment under nuclear power regulations was forthcoming for the results of these studies. On account of the elevation of the power plant site, at the design basis water level all key buildings, systems and components remain unrestrictedly available so that the plant can be operated in all service conditions. The structures, systems and components necessary to control the extreme scenario modeled with the discharge derived on the basis of the design basis high water level and an adverse choice of dam rupture points and boundary conditions have protection against flooding or are so protected by temporary measures. At a water level of 100.3 meters above datum sea level the plant is powered down to residual heat removal mode as per the operating manual. Consequently, the plant is already in safe residual heat removal mode in the event of an extreme high water level of 101.1 meters above datum sea level. At this extreme high water level residual heat removal is ensured by using the USUS residual heat removal chain. Pool cooling is maintained by the spent fuel pool cooling and clean-up system. Furthermore, pool cooling can be undertaken by residual heat removal leg 3 or 4. Both residual heat removal chains have emergency power supply. In the event of their nonavailability, an alternative for spent fuel pool cooling would be by means of mobile equipment. Water ingress into basement areas is prevented by the groundwater-proof design of the relevant buildings up to grade level, including the integration of ducts, pipe and caA1-127

ble penetration assemblies. Building-entry assemblies in areas with safety-relevant plant parts are of water-tight and pressure-tight design and build. Structure-buoyancy prevention and pressure resistance for the extreme high water level of 101.1 meters above datum sea level are validated for buildings in which the necessary safety-relevant systems are housed. Defense-in-depth measures to prevent damage due to flooding are set out in the operating manual. The measures start at a Rhine level of 96.50 meters above datum sea level with simple flood precautions such as walkdowns and change over to fresh water mode and extend through to power-down of the plant to a safe operating mode at a level of 100.30 meters above sea level. Automatic measures to counter high water levels are not necessary, because even for a design basis flooding level the pre-alert period is of the magnitude of days on account of the slow rate of rise when water levels are high. In extreme high water level conditions, residual heat removal is ensured by the USUS residual heat removal chain. To protect the systems, the building apertures in the USUS building are sealed with metal flood defense panels if the level of the Rhine rises above 100.00 meters. Access to the standby water well is defended against flooding by a sheet-metal box enclosure. The access routes to the power plant site are passable for vehicular traffic at design basis high water, the traffic routes on site and the accesses to the buildings are unrestrictedly available. As in other circumstances, personnel availability is assured. Moreover, in the event of access to and from the "Rheinschanzinsel" being interrupted by the river island being cut off, plans are in place to have personnel and consumables flown in by commercial helicopter service suppliers. The process regarding systems, components and structures necessary for the flooding load does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The process with regard to mobile facilities does not differ from the general process for ensuring compliance with the applicable basis for licensing, as described above. Both within the framework of the continuous and of the periodic review and driven by special reviews initiated as a result of the events in Fukushima, no deviations from the basis for licensing were identified. Even at even more extreme high water levels for which the floodwater exceeds the extreme water level of 101.1 meters above datum sea level, the USUS building, the

A1-128

standby water well and the USUS pump building remain available because the access doors are fitted with seals preventing the ingress of water in relevant quantities. Residual heat removal would be by means of the USUS residual heat removal chain. The power supply for all the system functions needed in this condition would be provided by the USUS diesels. Necessary switching actions could be performed in the USUS control room. The design basis flood of 99.9 meters above datum sea level has a return periodicity of 10,000 years. For a high water level of 101.1 meters above datum sea level that corresponds to the extreme high water level deriving from the above-mentioned extreme scenario for the design base high water discharge, this consequently means a return periodicity of 100,000 years. The return periodicity of a high water level of 102.05 meters above datum seal level is 1,000,000 years. These and higher water levels are controlled, but in the light of their probability they need not be assumed. On account of the plant's existing high robustness, extending far past beyond-designbase range, no further measures to increase robustness against flooding are envisaged.

Extreme weather conditions Plant design took into account various weather conditions (e.g. extreme river-water and air temperatures, wind and snow loads, rainstorm, lightning). The extreme weather conditions in the summer of 2003 gave occasion for a review of whether safety-relevant design and verification parameters would have to be adjusted to allow for extreme weather conditions. The outcome was that the existing design margins of the safety-relevant key structural and mechanical facilities also cover extreme weather. On account of their low frequency of occurrence and the limited effects on the plant's safety system, extreme weather conditions do not contribute significantly to the overall frequency of hazard and core-damage conditions. Combinations that are in causal relationship, such as snow and low temperatures or snow and storm, are taken into account in the design. Superimposition of the effects that are not causally related is controlled by design to withstand the individual impacts and by the robustness of the design. The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather loads. There are no safety-relevant effects due to extreme weather influences. On account of the robustness of the building structures in particular, exceeding the design-base values results in no impacts or only limited impacts on the plant's safety system.

A1-129

The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather impacts. There are no safety-relevant impacts due to extreme weather influences. There are high design margins against extreme weather conditions. Further measures to increase robustness are not necessary.

Loss of power In the event of extensive grid outages, simultaneous loss of main-grid and off-site power supply connections cannot be excluded. Consequently such a loss of off-site power was taken into account in full of scope in the technical design of the power plant. No safety systems are needed for the control of this plant transient. The loss of off-site power was taken into account in the technical design of the power plant. It occurs if the off-grid supply fails entirely and the plant cannot cover its house load by means of the generator. In summary it can be stated that a sustained loss of off-site power can be reliably endured without external support for more than 14 days. The failure of the quadruple-redundancy of the Unit emergency diesels is an accident condition that has to be assigned to the beyond-design-base range. Nevertheless, this event was taken into consideration in plant planning. This design was chosen so that failure of the Unit emergency diesels, internationally designated "station blackout", would be controlled and therefore does not have to be assumed. The USUS emergency power supply, designed to withstand external events in addition, is provided for this purpose. Failure of the Unit emergency diesels and the USUS emergency diesels constitutes a total failure of the three-phase power supply. The reactor is shut down by fast rod insertion. Pressure supply is regulated by batterybuffered systems. The reactor filling level is maintained by the injection system as long as the batteries are available. A series of accident management measures are in place for 

recovery of the power supply



feeding the reactor



heat removal



cooling the spent fuel pool

In a total failure of the three-phase power supply, the reactor is initially supplied with water by the injection system. The primary aim of the shift is to have recovery of a three-phase supply implemented as soon as possible by means of accident management measures.

A1-130

All accident management measures set out in the accident management manual are designed such that the procedures in question can be handled by the shift personnel present on their own. Consequently, in principle no external support is necessary for implementation. In power operation, water injection and pressure suppression are initially regulated by battery-backed systems. During this time appropriate accident management measures are implemented to ensure core cooling / heat removal. Not unless these accident management measures too were to fail could the fuel assemblies be expected to reach 1200 °C after approximately 7 hours. When the plant is in low power operation the grace period is considerably longer than in power operation. The KKP 1 plant has been shut down since mid-March 2011. When all fuel assemblies are in the spent fuel pool, on account of the steadily diminishing heat rate the grace period for a temperature increase of the pool water to 80 °C increases to more than 50 hours. The robustness of the plant in loss of off-site power condition, in loss of off-site power condition with failure of the Unit emergency diesels and in addition with failure of the USUS emergency diesels was reassessed. In summary it can be stated that on account of the design and build and the existing plant operating procedures, the plant has a high defense against the loss of power and its consequences. On account of the margins for safeguarding the power supply as indicated, also taking superimposed events (earthquake, flooding, extreme weather conditions) into consideration, no need for measures for further increasing robustness can be identified within the framework of this reassessment. On the contrary, the events in the Fukushima NPP confirm the robustness of the design principles of the KKP 1 plant discussed here. Notwithstanding the above, for the present a mobile emergency power diesel generator is kept on site with the objective of even further developing the robustness of the three-phase power supply and thus also the direct-voltage power supply.

Loss of ultimate heat sink and assured auxiliary service water system is available The KKP 1 power plant is defended in the event of failure of the assured auxiliary service-water by an emergency system consisting of 2 residual heat removal legs each of 100 % design. Each leg has a well pump that inducts well water. In this way the residual heat can be removed from the reactor pressure vessel completely independently of the river-water supply. If the assured auxiliary service-water is unavailable, post-shutdown decay heat is removed from the reactor pressure vessel by the USUS system. A 2x100% residual heat removal system transfers the post-shutdown decay heat to the USUS auxiliary service water system, which consists of a well with 2x100% pumps.

A1-131

On account of the technical independence of the USUS system as described, in principle there is no time limit for operation of the residual heat removal chain. On account of the possibilities as described, no external measures are necessary to avoid fuel-assembly damage and consequently such measures are not envisaged. When the above-mentioned accident management measures are in effect and can be maintained, cooling of the reactor core and the storage pool is ensured. Consequently, there is no likelihood of fuel-assembly damage. The measures are all implemented with resources kept in place on the site of the plant, so external support is not necessary. Consequently, there is no necessity to state times to occurrence of fuel assembly damage. In summary this means that the plant has a very high level of defense against loss of the auxiliary service water. The robustness of the KKP 1 plant against loss of the assured auxiliary service-water system can be considered adequate on the basis of findings of the previous analyses and consequently further measures to increase robustness are not derived. With regard to heat removal from the spent fuel pool, evaporation cooling is to be incorporated into the accident management concept

Loss of ultimate heat sink combined with station blackout After a failure of the off-site grid supply and failure of the Unit emergency diesels, the USUS diesels are available for three-phase power supply. Soft trip of the plant to the "cold standby" condition is possible at any time. Heat removal via the emergency auxiliary service water system is possible virtually without a time limit, insofar as the system's energy supply is maintained by the USUS system. There are no grounds for apprehending loss of controlled heat removal from the core or the spent fuel pool. No external measures to avoid fuel assembly damage are necessary. The event is fully controlled with the emergency auxiliary service water system supply and the USUS diesels. The "failure of the ultimate heat sink combined with station blackout" event is fully controlled with the emergency auxiliary service water system supply and the USUS diesels. No measures for increasing robustness beyond plant design as-is are necessary.

Management of severe accidents The administrative procedures ensure at all times that the duties of the shift personnel including the accident management measures can be performed. The plant fire brigade's rapid deployment team is composed of shift personnel from Unit I and Unit II.

A1-132

In the power plant organization for accident management the principle is that the competences and responsibilities set out in the personnel plant organization retain their validity in principle even in accident management situations. The power plant's accident management organization consists of the crisismanagement group directed by the manager of the Unit affected, taskforce units each directed by their appointed lead member of the emergency management group, the plant fire brigade and the paramedics team. The crisis-management group decides on measures to contain or mitigate damage on occurrence of a safety-severe event. To ensure fast response, respective functional postholders are on call. Staffing of the posts for convocation of the accident management organization is ensured at all times. The interface to the external organizations is provided by the lead members of the taskforce units. Agreements with external organizations are in place for the provision of technical support for emergency management and defense measures. These organizations include the nuclear support services company and the plant manufacturer. Technical, medical and organizational assistance is also available from the local firefighting services and other emergency-rescue services. Personnel deployed in the nuclear power plant receive instruction on the alerts, what they signify, and appropriate behavior in the various alert situations. Regular contact is maintained with the neighboring fire-fighting services. Drills are conducted in order to ensure that the appropriate corrective actions can be implemented from standby if a fault occurs. The operational capability and functional dependability of the accident management equipment are checked at regular intervals and the results are reported to the supervisory authority. The German safety code requires equipment for implementation of the plant-internal accident management measures to be kept in readiness on site, so that the personnel present in the plant can successfully undertake the plant-internal accident management measures within the grace period available. The corresponding regulations for provision and utilization of the equipment are part of the accident management manual. Mobile equipment from external sources is organized through the nuclear support services convoy. Under the terms of the existing contract this equipment is kept available round the clock and is ready for transportation. Stipulations ensuring minimum stocks have been defined for all the auxiliaries and consumables necessary for operation. The management of radioactive releases is undertaken in accordance with the stipulated procedures as set out in the KKP operating manual, in particular the alarm and radiation protection regulations and in accordance with diverse operational instructions, crisis-management group manual: off-site monitoring, calculation of radiation doses from emission values, personnel decontamination, measures of the radiation protection and health physics personnel and staffing of the assembly stations, use of potassium iodide tablets.

A1-133

Facilities for internal and external communication are available to the crisismanagement group. In the event of failure of the telephone networks and the power supply, communication channels via satellite phone, satellite fax and two-way radios of the fire brigade remain usable on the site. The existing accident management measures were assessed at KKP 1 in terms of their workability given superimposition of earthquake, flooding and station blackout with other external events. This has no effect on the workability of the accident management measures from the control room, the backup control center, or in the field. If communication facilities are lost, communication can be established both internally and externally using the mobile radio transceivers in the fire-response vehicles of the plant fire brigade and the two-way radios deposited at all times in the crisismanagement group offices and in the control rooms. The plant also has hard-wired connections, for example between the USUS local control room and the main control room via the inter-control-room telephone system. Apart from the crisis-management group center on the KKP site, there are various other alternative facilities available, for example in Philippsburg and at the power plant sites Obrigheim and Neckarwestheim. These are deployed to on the instructions of the crisis-management group in consideration of the radiological situation. When individual dose monitoring is implemented for the task forces, the value can be increased in accordance with the stipulations set out in the Radiological Protection Ordinance and deployment time. The usability of the main control room is ensured in the event of earthquake, flooding and extreme weather conditions and in the event of the presence of toxic and explosive gases and complicated radiological boundary conditions. The USUS control room is flood-proof and earthquake-proof. It is also protected against external events. Accessibility is ensured via various routes, including protected buildings. The crisis-management group center in the administration building is not available if the power plant site floods. The management team's duties have to be discharged by multiple shifts staffing suitable alternative premises. The team is ensured a supply of food and beverages adequate for several days. The existing accident management measures were assessed at KKP 1 to validate their workability under adverse event superimpositions. The superimposition of earthquake, flooding and station blackout with other external events was a particular focus of assessment. It was established that in terms of workability some measures are affected or are not workable. The requirements for instrumentation and the measured radiological data that enable plant condition to be identified clearly even under core meltdown conditions and that supply the information necessary for the accident management measures are regulated. A1-134

The requirement set out in the KTA code defining scope and location of the indicators of the accident instrumentation has been implemented. Independently of the accident instrumentation, an accident sampling system is available in KKP 1. The accident sampling system enables samples to be taken from the containment atmosphere and the containment sump after a beyond-design-base event with core damage. The nuclear power plants KKP 1 and KKP 2 are each independent of the other and are operated completely separately from each other. On the basis of the events and scenarios considered, the emergency organization is adequate. No further measures are planned.

Accident management measures for core cooling, for maintaining the integrity of the containment and for limiting the release of activity to the environment Accident management manual sets out preventive plant-internal accident management measures with which, when implemented successfully, heat removal is ensured and thus the occurrence of fuel-assembly damage is prevented. The availability requirements for the safety systems and the safety-important systems are regulated in the operating manual. Equipment necessary for accident management measures is kept on site. In principle there is no expectation of RPV pressure still remaining high under emergency conditions. Nonetheless, accident management measures for pressure relief are in place. The hydrogen concentration inside the containment is monitored continuously. On account of inertisation, there is insufficient oxygen present for combustion inside the containment. Moreover, hydrogen can be burned off in a controlled manner by thermal recombiners. In addition, a system for filtered venting is installed. Inertisation of the containment and a requisite start-up of the H2 reduction system are described in the operating manual. Similarly, the availability requirements for these systems are also set out in the operating manual, along with those for the venting system. Filtered pressure relief (venting) of the containment is performed as an accident management measure as defense against high containment pressure, in order to prevent impermissible over-pressurization of the containment. As set out in the accident management manual, measures are in place to reduce pressurization in the containment. Furthermore, measures are in place to reduce pressure inside the containment by dry well spraying. In addition, filtered venting is available as A1-135

a further measure. Filtered venting of the containment is an accident management measure that can be implemented with a high degree of reliability and which does not require a voltage supply. Measures for longer-term operation or cyclic operation are set down. Borations of the coolant, or additional systems to ensure sub-criticality, are not necessary for the core of a BWR. With the control rods inserted a BWR core cannot go critical. Special provisions in operations management are not necessary in this respect for a BWR. The probability of retention of the melt inside the RPV can be increased by the injection of water. Within the framework of level-2 PSA, various scenarios with different time ranges for core destruction were analyzed. It is evident that every slowdown in the course of the accident achieved by suitable accident management measures for core cooling has a clear, positive effect with regard to the grace period preceding RPV failure and for concrete erosion. If heat removal is restored at an early enough juncture, further core destruction can be terminated. Filtered containment venting can be performed even without a supply of electrical energy, so the integrity of the containment is reliably sustained. The primary instrumentation for accidents is the Accident Instrumentation, injected to the control room and the backup control center, and an accident sampling system. In summary it is ascertained that the existing instrumentation is suitable for the ability to identify plant status even under core meltdown conditions. Successful implementation of the "filtered containment venting" accident management measure is sufficient to protect the integrity of the containment. This can be performed independently in each Unit. The robust containment of KKP 1 in combination with the "filtered containment venting" accident management measure and the catalytic recombiners will with very high probability withstand all loads to be expected in the event of an accident. On account of the large free volume inside the containment, moreover, the grace periods are very long. When the RPV is intact and the containment sealed both barriers have high priority, because an RPV failure can lead to containment failure. In this respect, measures for complying with these safety protection goals are set out in the accident management manual. Moreover, drafts for new accident management measures have already been prepared at KKP 1. The implementation of evolved accident management measures is undergoing internal proof at this time. The air ventilation facilities of the reactor building can be used selectively for activity retention and minimization. The main control room remains staffed. The switching actions

A1-136

are carried out in accordance with the operating manual and the accident management manual. A purging air facility is installed for limiting radioactive nuclide release from the reactor building to the environment. This facility enables air to be inducted from inside the reactor building, filtered and discharged via the stack. Moreover, central air-ventilation isolation is also possible, isolating all buildings int. al. from the exhaust air and maintaining negative pressure with the purging air facility. In this way no release of radioactive nuclides from the reactor building is possible. Consequently, no accident management measures are necessary. Notwithstanding the above, measures for air flow reduction and complete isolation of air ventilation are set out in the accident management manual. On account of the "filtration of control room inlet air in the event of activity release" accident management measure, the main control room can remain staffed. If only cooling of the fuel assemblies in the spent fuel pool fails, the hydrogen arisings are conveyed to outside in a controlled manner by means of the purging air system. The shielding effect is of relevance only for the implementation of accident management measures for alternative water supply to the spent fuel pool. The expected grace periods for exposure of the fuel assemblies in the spent fuel pool are very long, due in part to the fact that all connected pipes are set considerably higher than the heads of the fuel assemblies. A purging air facility is installed for limiting radioactive nuclide release from the spent fuel pool to the environment. This system enables air to be sucked in from above the spent fuel pool, filtered and discharged via the stack. Moreover, central air ventilation isolation is also possible, isolating all buildings int. al. from the exhaust air and maintaining negative pressure with the purging air facility. In this way no release of radioactive nuclides from the reactor building is possible. Consequently, no accident management measures are necessary. Metering of the spent fuel pool water level and metering of the spent fuel pool temperature are available. In addition, a temperature rise inside the reactor building is indicative of a boiling condition. An occurrence of fuel assembly damage is detectable with the dose rate control point at the reactor service floor. Camera monitoring of the spent fuel pool is also installed. On account of the "filtration of control room inlet air in the event of activity release" accident management measure, the main control room can remain staffed. On the basis of the events and scenarios considered, the precautions to limit activity release are adequate.

A1-137

Annex 1

12

KKP-2 / Philippsburg 2

Outline description of the nuclear power plant Plant description The Philippsburg 2 Nuclear Power Plant (KKP 2) is located directly on the east (right) bank of the Rhine at river kilometer 389, approximately 30 km north of Karlsruhe and approximately 10 km south of Speyer. It shares the site with the power plant Unit KKP 1, a boiling water reactor with a gross electrical output of 926 MW. The KKP 2 NPP is a pressurized water reactor manufactured by KWU (Kraftwerk Union), belonging to the "Vor-Konvoi" series and having a reactor core with 193 fuel assemblies. The 4-loop plant has four steam generators and four-leg, spatially segregated safety systems (e.g. 4 emergency-cooling and heat-removal systems, 4 emergency diesels) and four additional emergency feedwater diesels (SBO diesels). Thermal output is 3950 MW, from which 1468 MW gross of electrical energy (net 1402 MW) is generated by one high-pressure and three low-pressure turbine sections. Cooling water supply is from the Rhine. The reactor building is a solid reinforced-concrete structure and along with safetyimportant equipment it also houses the containment, which is of steel. This containment is of full-pressure design and it encloses the primary cooling circuit with its components (including, et. al. the reactor pressure vessel with connecting piping and the main cooling pumps and the steam generators) and the spent fuel pool for spent fuel assemblies. In March 1989, Philippsburg 2 NPP commenced commercial power operation and from then until the end of June 2011 it had generated more than 287 thousand million kWh gross of electrical energy. Licensee of the Philippsburg 2 Nuclear Power Plant is EnBW Kernkraft GmbH (EnKK). The Probabilistic Safety Analyses performed up to now within the framework of the periodic safety review for KKP 2 in accordance with the Probabilistic Safety Analysis Guide publicized by the Federal German Ministry of the Environment (BMU) on August 30, 2005, show level-1 PSA results significantly lower than the IAEA target for plants in operation (< 10-4 per year). Moreover these results are below the recommended target (10-5 per year) for new plants; they also show the balance of the system and plant technology of GKN II. The level-2 PSA results show that the KKP 2 frequencies for serious fission-product release are extremely low. All in all, the level-1 and level-2 PSA results confirm that KKP 2 has a balanced safety concept in place and possesses a very high safety level. Culture and guidelines The two Units at the Neckarwestheim site (GKN I and GKN II) and the two at the Philippsburg site (KKP 1 and KKP 2) and the definitively shut down (decommissioned) Obrigheim nuclear power plant (KWO) are operated by the EnBW Kernkraft GmbH (EnKK). The safety of its plants is a top priority for EnKK. The guiding principle is "safeA1-138

ty takes priority over economic efficiency". Just like all other German plants, EnKK's nuclear power plants are subject to permanent, independent legal supervision (nuclear supervisory authority). The premise that safety in operation of the plants has topmost priority is also anchored organizationally in EnKK with the management system for nuclear safety, quality assurance, environmental protection and occupational health and safety protection (Integrated Management System), certified in accordance with international standards. This is because for the safety of its nuclear power plants EnKK pursues consequently a comprehensive approach making equal provision for the human, technology and organization factors and their interaction. This approach is aimed to continuous optimization and development in all the above-mentioned fields. On account of the safety philosophy outlined above, the plants are operated on a very high safety level — and this also holds true in international comparison. As a matter of fact, for the four plants GKN I and GKN II and KKP 1 and KKP 2 the current results of the safety reviews required by law that without exception, all 4 plants satisfy all safety requirements. The safety level of the plants is comparable with that required by the International Atomic Energy Agency (IAEA) for new plants. (Note: Legislation does not require a safety review of KWO, which was decommissioned in 2005). In addition, the International Atomic Energy Agency (IAEA) has repeatedly confirmed an EnKK safety standard of the highest international level. On the initiative of EnKK, the agency assessed the Philippsburg (in 2004 and 2006) and Neckarwestheim (in 2007 and 2009) nuclear power plants in the framework of OSART missions. Given the above-mentioned comprehensive aspect of the human, technology and organization factors on safety, OSART missions serve the purpose of obtaining knowledge of the human and organization aspects for a nuclear power plant. On the basis of its findings, the IAEA declared that EnKK evinces "overall a high degree of commitment and leadership in the management of safety and safety culture." Correspondingly the plants achieved very good results measured by international standards. Taken overall, therefore, the comprehensive estimation of the EnKK plants is one of an excellent safety level and high human-factor and organizational safety culture. In order to ensure that this high degree of safety is not only maintained but indeed constantly raised, EnKK invests and optimizes continuously with regard to all three factors. And of course the company will also continue to identify new requirements and implement measures as necessary. And in these endeavors, in future EnKK will continue to pursue its comprehensive approach — in operating and in decommissioning and in dismantling the plants — the approach that makes equal provision for the human, technology and organization factors.

Earthquake For the licensing procedure of KKP 2, a maximum ground acceleration PGA of 210 cm/s2 (peak ground acceleration (PGA), rigid body acceleration) was defined for seismic design (maximum potential earthquake or safe shutdown earthquake). This definition bases on a deterministic seismic hazard analysis allowing for the special requirements for nuclear power plants with regard to resistance to seismic events.

A1-139

The design basis earthquake is derived from a seismic event having its epicenter more than 100 km from the location. The upper limit for the intensity of this earthquake is I = VII - VIII (MSK scale). Vis-à-vis the actual historically observed seismic activity in the immediate vicinity of the site, this signifies an increase of at least one level of intensity. The probability for the design basis earthquake is less than 10-5 per year. It has been established in extensive studies that the foundation soil of the power plant evinces all the requisite properties and in particular soil liquefaction due to dynamic loads and irregular settlement at key safety-important buildings can be precluded. In order to obtain the ground response spectra, the characteristic properties of the subsoil at the site and at a point close to the power plant and the natural ground disturbance were recorded in a measurement campaign that extended over a period of several months, and analyzed in the form of spectral H/V relations. The results were used to assess the dominant site frequencies, the relation of horizontal to vertical components of the spectrum, and the subsoil classification (thick sediment strata extending to depths of several hundred meters). The Philippsburg site is located in an area of low seismic activity. The seismic load assumptions have been cross-checked by different groups of experts and are well verified. In this context the deterministic hazard analyses were supplemented by probabilistic seismic site analyses. The extensive studies undertaken within the past years have confirmed the original design base variables as conservative specifications and consequently there have been no findings necessitating a change to the seismic load assumptions for KKP 2. The design-base variables also comply with the specifications of KTA 2201.1, now revised as a draft change amendment proposal (status June 2010). In April 2011, all nuclear power plants in Baden-Württemberg underwent safety review by a team of experts. The team of experts was appointed by the government of BadenWürttemberg as direct reaction to the events in Fukushima. The team of experts ascertained that the current expertise on assessment of the seismic load assumptions at the KKP site not only covers the valid KTA rule 2201.1 in scope of the work, but goes beyond it in specifics. In summary it can be stated that the present design basis is adequate and compliant with the state of the art. Moreover, the existing design offers further margins for beyond-design-base events. The structures, systems and components necessary for accident control are designed to provide protection against the design basis earthquake, they have margins and are there-fore also robust against beyond-design-base earthquakes. The plant is designed for the design basis earthquake. Consequently, earthquakeinduced "damage possibilities" are duly provided for in the design. The "earthquake" external event is controllable with the available design safety systems, even assuming a repair case and a postulated single-mode fault. In addition, the earthquake-conditioned core damage frequency was calculated in the earthquake PSA and the system functions for control of seismic action were systematiA1-140

cally analyzed. The earthquake-conditioned failure of the facilities designed specially against the design basis earthquake contributes no more than insignificantly to the earthquake-conditioned core damage frequency. It was shown that no dominant relevant contributions result from the earthquake-conditioned failure of structures, systems and components. Consequently, no cliff edge effects are identifiable even in relation to earthquake events of very low probability. The failure in consequence of earthquake of structures, systems and components not essential in an earthquake event was also taken into account in design. Either their design was directly to sustain a basic design earthquake or proof was forthcoming that the effects of failure remain within limits and do not lead to an impermissible restriction of accident control. In accordance with design specifications, power supply from the emergency power systems in the event of a design basis earthquake and simultaneous failure of all off-site power grid connections and generator-supply failure, is off the generators of the D1 emergency power system. In addition, a further supply is available through the D2 emergency power system (SBO diesels). As regards accessibility, the damage postulated for the design basis earthquake on the power-plant site and off-site would not impermissibly restrict the availability of the requisite personnel and supply facilities. The licenses and modification licenses and subsequent official requirements and provisions including the documents cited in the decisions are deemed to constitute the basis for licensing. In these decisions the licensing authority has set out the legal requirements in the form of licensing documents and auxiliary conditions for the installation and operation of the plants. The process for compliance with the basis for licensing with regard to necessary systems, component and structures for the earthquake service condition does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The earthquake external event is a design basis accident that is controlled with the permanently installed safety systems provided for the purpose. No mobile equipment and supply functions are necessary. Both within the framework of the continuous and of the periodic reviews and the results of the special reviews initiated by the events in Fukushima, no deviations from the basis for licensing were identified. By way of arriving at an estimate of the earthquake intensity that could lead to severe core damage, the conservative assumptions and margins in the models along the chain from the determination of the design basis earthquake to the plant as-is are considered and evaluated. The studies revealed no indications of effects which, in the event of a beyond-design-base earthquake, would lead to step-change deterioration (cliff edges)

A1-141

in safety-relevant boundary conditions (e.g. cross-redundancy failure on account of flooding, destruction by consequential explosions, etc.). Evaluation on the basis of the margins as indicated shows that even given a beyonddesign-base earthquake with an intensity level I = 9, no global loss of safety-relevant functions is anticipated. Given the enormous increase of the effects that this entails, no cliff edge effects are anticipated. At a further increase of intensity to I = 10 for the purposes of this study, relevant earthquake-related failures could not be precluded. A relevant event of this nature would be structural failure of the reactor building. This constitutes a potential cliff edge effect, but one that is hypothetical because the likelihood of its occurrence does not arise until event intensities are in the region of I > 9. Given the geological and tectonic boundary conditions and the low seismicity at the site, earthquakes of such intensity are virtually precluded. The intensity occurrence rate for I > 9 for the site is in the magnitude of 10-8 per year. With regard to hazards due to severe core damage as the result of a beyond-designbase earthquake, it is to be noted that for KKP 2, even in the event of the design basis earthquake being exceeded significantly, there is no likelihood of the loss of safety functions and, on account of site conditions and the robustness of the plant, there is no likelihood of the occurrence of cliff edge effects. This also applies unreservedly for containment boundary integrity. The reactor building of KKP 2 is a solid reinforced-concrete structure integrating a spherical steel enclosure as the containment boundary. Large-area failure of the steel enclosure can be considered in this context as a hypothetical cliff edge effect that can lead to loss of containment boundary integrity. However, this is not to be reckoned with unless an earthquake event reaches a magnitude in the intensity range I > 9, an occurrence that can be precluded on account of the geological and tectonic boundary conditions and the low seismicity at the site. Assuming a river-dam and lock rupture in consequence of an earthquake, a surge could be expected to descend from upstream. The calculations for the design basis flooding level make provision for the surge occurring in the event of destruction of water-retention structures upstream from the power plant site. On account of the location and the retained water volumes behind these structures, this surge is minor in comparison with spates from precipitation and snow thaws. It is below the site elevation of the power plant and therefore remains without consequence. On account of the design of the plant and the seismic conditions at the site, robustness against seismic events is high. Consequently, there is no need for further measures.

External Floods The design basis flood-water level for the plant was fixed at 99.9 meters above datum sea level (99.4 meters above datum sea level + 0.5 meter safety margin). The design base water level is 0.4 meter lower than the elevation of the power plant site and at least 0.55 meter below the power plant entrances. The power plant site is additionally protected against the Rhine and Old Rhine Rivers by a dam (crest 100.5 meters above datum sea level). A1-142

An extreme scenario was modeled for the location with the discharge derived on the basis of the design basis high water level and an adverse choice of dam rupture points and boundary conditions. This extreme scenario returns water levels around 100.6 meters above datum sea level for the area of the KKP site. This is a beyond-design-base flood level well in excess of the design basis flooding level calculated in accordance with KTA 2207. In the beyond-design-base range, therefore, a water level of 101.1 meters above datum sea level (100.6 meters + 0.5 meter addition by analogy with KTA 2207) constitutes the basis. On account of the structural design against high water and the elevation of the accesses higher than 102.05 m above datum sea level to buildings housing safety-important equipment necessary for heat removal, corresponding high water levels are controlled. The methodology for calculating the design basis flooding level is set out primarily in KTA 2207 "Protection of nuclear power plants against flooding". This regulation stipulates an exceedance probability of 10-4 per year for overtopping of the design basis flooding level. The design basis flooding level was defined in compliance with KTA 2207. It was reassessed in 2004, in the context of a modification of KTA 2207 and in the framework of a regulatory supervisory focus on the influence of extreme weather conditions, and again in 2009 in the context of compilation of the flooding endangerment maps for Baden-Württemberg. The adequacy of design was confirmed. Supervisory accompaniment under nuclear power regulations was forthcoming for the results of these studies. On account of the elevation of the power plant site, at the design basis water level all key buildings, systems and components remain unrestrictedly available so that the plant can be operated in all service conditions. The structures, systems and components necessary to control the extreme scenario modeled with the discharge derived on the basis of the design basis high water level and an adverse choice of dam rupture points and boundary conditions are also not at risk from flooding. At a water level of 100.3 meters above datum sea level the plant is powered down to residual heat removal mode as per the operating manual. Consequently, the plant is already in safe residual heat removal mode in the event of an extreme high water level of 101.1 meters above datum sea level. At this extreme high water level residual heat removal is ensured by using the residual heat removal chain or the emergency residual heat removal chain. Pool cooling is by the third pool cooling leg, which has emergency power supply. Moreover, pool cooling can also be effected by two pool cooling legs connected to the residual heat removal legs. The pool cooling pumps of these legs can be powered off both the D1 system and the D2 system (SBO diesels). Heat removal is via the emergency residual heat removal system, which is also supplied off both these supplies. Water ingress into basement areas is prevented by the groundwater-proof design of the relevant buildings up to grade level, including the integration of ducts, pipe and ca-

A1-143

ble penetration assemblies. Building-entry assemblies in areas with safety-relevant plant parts are of water-tight and pressure-tight design and build. Structure-buoyancy prevention and pressure resistance for the extreme high water level of 101.1 meters above datum sea level are validated for buildings in which the necessary safety-relevant systems are housed. The entrances to these buildings are higher than 102.05 meters above datum sea level and therefore about 95 cm higher than the extreme high water level of 101.1 meters above datum sea level. Defense-in-depth measures to prevent damage due to flooding are set out in the operating manual. The measures start at a Rhine level of 96.50 meters above datum sea level with simple flood precautions such as walkdowns and change over to fresh water mode and extend through to power-down of the plant to a safe operating mode at a level of 100.30 meters above sea level. Automatic measures to counter high water levels are not necessary, because even for a design basis flooding level the pre-alert period is of the magnitude of days on account of the slow rate of rise when water levels are high. The access routes to the power plant site are passable for vehicular traffic at design basis high water, the traffic routes on site and the accesses to the buildings are unrestrictedly available. As in other circumstances, personnel availability is assured. Moreover, in the event of access to and from the "Rheinschanzinsel" being interrupted by the river island being cut off, plans are in place to have personnel and consumables flown in by commercial helicopter service suppliers. The process regarding systems, components and structures necessary for the flooding load does not differ from the general process for ensuring compliance with the valid basis for licensing. Compliance with the licenses as granted and with the subsequent provisions is ensured by appropriate internal measures and processes. This procedure undergoes additional surveillance in the form of measures implemented by the state supervisory body on the part of the regulatory authority and independent experts whose services are retained for the purpose. The process with regard to mobile facilities does not differ from the general process for ensuring compliance with the applicable basis for licensing, as described above. Both within the framework of the continuous and of the periodic reviews and driven by special reviews initiated as a result of the events in Fukushima, no deviations from the basis for licensing were identified. Even at even more extreme high water levels for which the floodwater exceeds the extreme water level of 101.1 meters above datum sea level or even overtops the access elevation of 102.05 meters of safety-important buildings, the reactor building and the emergency feedwater building remain available because the doors have seals preventing water from entering even after rising to the spot height of the access ways.

A1-144

A critical height is not reached until the water level has risen to the air intakes of the D2 diesels (SBO diesels), which are approximately 4 meters above the elevation of the power plant. The design basis flood of 99.9 meters above datum sea level has a return periodicity of 10,000 years. For a high water level of 101.1 meters above datum sea level that corresponds to the extreme high water level deriving from the above-mentioned extreme scenario for the design base high water discharge, this consequently means a return periodicity of 100,000 years. The return periodicity of high water levels rising to the access elevation of the key safety-relevant buildings of 102.05 meters above datum seal level is 1,000,000 years. These high water levels are controlled. Moreover, even more improbable high-water levels up to the air intakes of the D2 diesels (SBO diesels) in the emergency feedwater building could be controlled. Water levels as high need not be assumed, on account of their probability. On account of the plant's existing high robustness, extending far past beyond-designbase range, no further measures to increase robustness against flooding are envisaged.

Extreme weather conditions Plant design took into account various weather conditions (e.g. extreme river-water and air temperatures, wind and snow loads, rainstorm, lightning). The extreme weather conditions in the summer of 2003 initiated a review of whether safety-relevant design and verification parameters would have to be adjusted to allow for extreme weather conditions. The outcome was that the existing design margins of the safety-relevant key structural and mechanical facilities also cover extreme weather. On account of their low frequency of occurrence and the limited effects on the plant's safety system, extreme weather conditions do not contribute significantly to the overall frequency of hazard and core-damage conditions. Combinations that are in causal relationship, such as snow and low temperatures or snow and storm, are taken into account in the design. Superimposition of the effects that are not causally related is controlled by design to withstand the individual impacts and by the robustness of the design against other events. The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather loads. There are no safety-relevant impacts due to extreme weather influences. On account of the robustness of the building structures in particular, exceeding the design-base values results in no impacts or only limited impacts on the plant's safety system.

A1-145

The safety-important structural, electro-technical and mechanical facilities are adequately designed against extreme weather impacts. There are no safety-relevant impacts due to extreme weather influences. There are high design margins against extreme weather conditions. Further measures to increase robustness are not necessary

Loss of power In the event of extensive grid outages affecting the electricity transmission system and the distributing network, simultaneous loss of main-grid and off-site power supply connections cannot be excluded. Consequently such an off-site grid disruption was taken into account in the technical design of the power plant. No safety systems are needed for control of this plant transient. This simultaneous non-availability of the main off-site grid supply and the back-up supply and failure of load shedding to auxiliary station supply constitutes what is known as loss of off-site power. The loss of off-site power condition is a design base fault. No accident management measures are necessary. In summary it can be stated that utilizing all plant-internal fuel reserves, without external support endurance of a sustained loss of offsite power condition over a period of more than seven days is ensured. The failure of the quadruple-redundancy D1 emergency diesel is an accident condition that has to be assigned to the beyond-design-base range. Nevertheless, this event was taken into consideration in plant planning. The D2 emergency feedwater system, which is designed against external events in addition, is available for this purpose. The failure of the D1 emergency diesels and the D2 emergency feedwater diesels (SBO diesels) constitutes total failure of the three-phase supply. The accident management measure secondary-side “bleed and feed" is in place for controlling the effects of a total failure of the three-phase supply. In a total failure of the three-phase power supply (failure of the D1 emergency diesels and the D2 emergency feedwater diesels), the primary aim of the shift is to sustainably maintain heat removal to the secondary side and have reestablishment of a threephase supply implemented as soon as possible by means of accident management measures. There are several accident management measures available for restoring a three-phase power supply with mobile or special external equipment. The measures for restoring the substitute power supply as set out in the accident management manual are designed such that the procedures in question can be handled by the shift personnel present without external support. The question posited as to the time available for the restoration of regular core cooling can be answered in general terms with a figure of about one day, without the core fuel heating up in an unacceptable way.

A1-146

All events in the EU stress test, which also cover extremely unlikely beyond-designbase accidents and which accordingly are to be assessed, are managed even in the long term by KKP 2 without external support, so there are no grounds for apprehending fuel assembly damage in the reactor core or the fuel assembly pool. The engineered plant precautions of particular significance in this respect are the various permanently installed multiple-redundancy and diversified emergency diesel systems and supplementary accident management measures corresponding to the defense-in-depth safety concept. Accordingly, in a failure of the auxiliary electrical power supply a failure of the quadruple-redundancy emergency diesels (D1 emergency diesel system) is controlled by the quadruple-redundancy emergency feedwater diesels (D2 emergency feedwater system). This design was chosen so that failure of the emergency diesels, internationally designated "station blackout", would be controlled and therefore does not have to be assumed. Without refueling from off site, the fuel reserves stocked for the diesel generators ensure operation capability of each for a period so long without external refueling that even under the difficult boundary conditions for the accessibility of the power plant site defined by ENSREG, a considerable time reserve of several days can be ensured for refueling from off site. On account of the margins for safeguarding the power supply as indicated, also taking superimposed events (earthquake, flooding, extreme weather conditions) into consideration, no need for measures for further increasing robustness can be identified within the framework of this reassessment. Conversely, the events in the Fukushima nuclear power plant reconfirm in a special way the robustness of the design principles under discussion here for the KKP 2 plant. Notwithstanding the above, for the present a mobile emergency power diesel generator is kept on site with the objective of even further developing the robustness of the three-phase power supply and thus also the directvoltage power supply. In addition, the concept of this mobile power supply is to be further developed in technical and administrative respects.

Loss of ultimate heat sink and assured auxiliary service water system is available The assured auxiliary service water system is of four-leg design and it supplies the cooling points of the D1 emergency power diesels and the nuclear components cooling points. If the assured auxiliary service water is unavailable there is also a 2 x 100 % emergency auxiliary service-water system that is also operated with river water in recirculation cooling. In this way, if the residual heat removal chain fails heat removal can be sustained by one of the emergency residual heat removal chains. In addition, in the event of a complete failure of all auxiliary service water tapping from the river, it is possible to ensure emergency auxiliary service water supply from backup water well. If the assured auxiliary service water supply fails, residual heat is removed to the environment via the steam relief stations of the steam generators. The feedwater supply to the steam generators is independent of the external cooling water supply. Since the residual heat removal chains are not available if assured auxiliary service-water system fails, the emergency residual heat removal chain has to be started if the secondary heat sink fails or if the reactor cooling system is open.

A1-147

On account of the technical independence of the emergency auxiliary service water system as described, in principle there is no time limit for operation of the residual heat removal chain. Given the possibilities as described, no external measures are necessary for avoidance of fuel assembly damage and consequently, such are not envisaged. In a total failure of the assured auxiliary service water system and the emergency auxiliary service water system, there is no time restriction with regard to the feedwater supply for the steam generators. The time available for restoration of a failed heat sink is approximately one day, given the specified temperature of the fuel assembly pool. Direct damage of the core fuel, in contrast, is not to be apprehended. The emergency auxiliary service-water system is to be considered as an alternative heat sink to the auxiliary service-water system and it too is unaffected by extreme lowwater levels. It is designed against all the external events under consideration (flooding, explosion blast wave, etc.) and the energy supply is via the D2 emergency power supply system (SBO diesels). In summary, it can be stated that on account of the design of the assured auxiliary service-water system and given the diversity with the emergency auxiliary service-water system and the additional standby water system, external events and any impairment of the receiving water are covered. This also applies for beyond-design-base flooding with superimposition of station blackout. The robustness of the KKP 2 plant against loss of the assured auxiliary service water can be considered adequate on the basis of findings of the previous analyses and consequently further measures to increase robustness are not derived. With regard to heat removal from the spent fuel pool, evaporation cooling is to be incorporated into the accident management concept.

Loss of ultimate heat sink combined with station blackout In a failure of the D1 emergency diesels, the D2 emergency feedwater diesels (SBO diesels) are available. In this case, too, soft trip of the plant to the "cold standby" condition is possible at any time. Demand-optimized operation of the D2 emergency feedwater diesels (SBO diesels) extends the fuel supplies to a period of at least 7 days. In this way controlled heat removal via the emergency auxiliary service-water system supply with assured D2 emergency feedwater diesel (SBO diesels) operation is possible without time limit. There are no grounds for apprehending loss of normal heat removal from the core. No external measures to avoid fuel assembly damage are necessary. The event is fully controlled with the emergency auxiliary service water system supply and the D2 emergency feedwater diesels (SBO diesels). The effects of the "failure of the ultimate heat sink combined with station blackout" event are fully controlled with the emergency auxiliary service-water system supply and the D2 emergency feedwater diesels (SBO diesels). No measures are necessary to increase the robustness of the plant against loss of the auxiliary service water supply combined with station blackout. A1-148

Management of severe accidents The regular staffing level is the shift complement, with which all tasks for plant operation and the accident management measures can be handled. The shift fire-fighting group complement is drawn partly from shift personnel from Unit 1 and Unit 2 and site security personnel, and a duty roster from the plant fire brigade. In the power plant organization for accident management the principle is that the competences and responsibilities set out in the personnel plant organization retain their validity in principle even in accident management situations. The power plant's accident management organization consists of the crisismanagement group directed by the manager of the Unit affected, taskforce units each directed by their appointed lead member of the emergency management group, and the organizational units "Safety and Security", "Radiology" and "Technical Support". The crisis-management group decides on measures to mitigate or eliminate damage on occurrence of a safety-severe event. To ensure fast response, respective functional postholders are on call. Staffing of the posts for convocation of the accident management organization is ensured at all times. The interface to the external organizations is provided by the lead members of the taskforce units. Agreements with external organizations are in place for the provision of technical support for emergency management and defense measures. These organizations include the nuclear support services company and the plant manufacturer. Technical, medical and organizational assistance is also available from the local firefighting services and other emergency-rescue services. Personnel deployed in the nuclear power plant receive instruction on the alerts, what they signify, and appropriate behavior in the various alert situations. Regular contact is maintained with the neighboring fire-fighting services. Drills are conducted in order to ensure that the appropriate corrective actions can be implemented from standby if a fault occurs. The operational capability and functional dependability of the accident management equipment are checked at regular intervals and the results are reported to the supervisory authority. The German safety code requires equipment for implementation of the plant-internal accident management measures to be kept in readiness on site, so that the personnel present in the plant can successfully undertake the plant-internal accident management measures within the grace period available. The regulations laid down to this end are part of the accident management manual. These regulations include the provision and utilization of the equipment. As a precaution in case of difficult accessibility, the resources needed to implement the plant-internal accident management measures are deposited directly on site. Mobile equipment from external sources is organized through the nuclear support services convoy. Under the terms of the existing contract this equipment is kept available round the clock and is ready for transportation.

A1-149

KKP has adequate supplies of consumables and auxiliaries, particularly fuel for operation of the diesels. The management of radioactive releases is undertaken in accordance with the stipulated procedures as set out in the KKP operating manual, in particular the alarm and the radiation protection regulations and in accordance with diverse operational instructions, crisis-management group manual, off-site monitoring, calculation of radiation doses from emission values, personnel decontamination, measures of the radiation protection and health physics personnel and staffing of the assembly stations, use of potassium iodide tablets. Facilities for internal and external communication are available to the crisismanagement group. In the event of failure of the telephone networks and the power supply, communication channels via satellite phone, satellite fax and two-way radios of the fire brigade remain usable on the site. The measures are designed against the impacts of earthquake, external events, flooding and station blackout and their superimpositions by being sited in buildings defended against external events and earthquakes, and by assurance of the power supply by an additional mobile diesel generator. Similarly, the resources necessary for implementation are stored in emergency cabinets in the controlled area. If communication facilities are lost, communication can be established both internally and externally using the mobile radio transceivers in the fire-response vehicles of the plant fire brigade and the two-way radios kept in readiness at all times in the crisismanagement group offices and in the control rooms. Furthermore, the plant has hardwired connections from the backup control center to the ringroom (annulus), so that communication can be maintained between the backup control center staff and the persons in the field. Apart from the crisis-management group center on the KKP site, there are various other alternative facilities available, for example in Philippsburg and at the power plant sites Obrigheim and Neckarwestheim. These are deployed to on the instructions of the crisis-management group in consideration of the radiological situation. When individual dose monitoring is implemented for the task forces, the value can be increased in accordance with the stipulations set out in the Radiological Protection Ordinance and deployment time. A separate access route from the reactor building to the emergency feedwater building and to the backup control center ensures accessibility without hindrance from outside. The crisis-management group center in administration building VG3 is not available if the nuclear power plant site floods. The management group's duties have to be discharged by multiple shifts staffing suitable alternative premises. The measures are designed against the impacts of earthquake, external events, flooding and station blackout and their superimpositions by being sited in buildings defended against external events and earthquakes, and by assurance of the power supply by an A1-150

additional mobile diesel generator. Similarly, the resources necessary for implementation are stored in emergency cabinets in the controlled area. The equipment for implementation of the accident management concept is connected, insofar as necessary, to the emergency power supply. The requirements for instrumentation and the measured radiological data that enable plant condition to be identified clearly even under core meltdown conditions and that supply the information necessary for the accident management measures are regulated. The requirement set out in the KTA code defining scope and location of the indicators of the accident instrumentation has been implemented. Independently of the accident instrumentation, an accident sampling system is available in KKP 2; the system description details the system's function and method of operation. The nuclear power plants KKP 1 and KKP 2 are each independent of the other and are operated completely separately from each other. On the basis of the events and scenarios considered, the emergency organization is adequate. Since the accident management measures necessary for core cooling can be implemented even under the adverse condition assumptions, no further measures are planned with regard to the effectiveness of accident management. The introduction of the mitigative accident management manual is due for completion in the near future.

Accident management measures for core cooling, for maintaining the integrity of the containment and for limiting the release of activity to the environment On the basis of the events and scenarios considered, the implemented preventive and mitigative accident management measures are adequate. The robust containment of KKP 2 in combination with the "filtered venting of the reactor containment" accident management measure and the passive auto-catalytic recombiners will with very high probability withstand all loads to be expected in severe accidents. On account of the very large free volume inside the containment, moreover, the grace periods are very long. Within the framework of the mitigative accident management manual for GKN I, scenarios with activity release to the environment were studied. Strategies derived from these studies are in principle transferrable to KKP 2 and are available to the crisis management group. In this context many measures that can reduce release to the environment when the systems are available were identified.

A1-151

The analyses within the framework of Probabilistic Safety Analysis level 2 have shown that no further improvement of containment integrity is necessary or of practical benefit. Preventive accident management measures before occurrence of fuel-assembly damage are described in the accident management manual. The successful implementation of one of these accident management measures ensures heat removal. In this way the occurrence of fuel-assembly damage is reliably prevented. After occurrence of fuel-assembly damage inside the reactor pressure vessel measures are available which when successfully implemented are designed to 

extend the grace periods



terminate destruction of the core / prevent RPV failure, and



minimize nuclide release from the reactor containment.

In the event of the RPV failing in consequence of a core meltdown, the GKN I mitigative accident management manual proposes and prioritizes various measures from the accident management manual and the operating manual. Given availability, these measures are intended firstly to maintain the operability of the containment barrier of defense and secondly to minimize nuclide release and extend grace periods. These measures are also available for KKP 2. Adequate measures are available to prevent fuel-assembly damage/meltdown under high pressure. On account of propitious plant characteristics, moreover, passive pressure relief is highly probable. The targeted available measures for pressure relief in the reactor coolant system are set out in the written operating procedures and the level of reliability for their implementation is high. To prevent hydrogen reactions, there are passive recombiners inside the containment that recombine hydrogen with atmospheric oxygen without external mediums of any kind whatsoever. Further measures of operations management for hydrogen reduction inside the containment are propitious but are unnecessary, because the passive recombiners effectively limit the hydrogen concentration. If the pressure inside the containment rises in the course of an accident, over-pressure is limited by the containment's venting system. This venting system incorporates a filter system which to a very large extent prevents activity release. Filtered venting of the reactor containment is an accident management measure that can be implemented with a high degree of reliability and which does not require a voltage supply. A re-criticality of the melt inside the containment is not anticipated, because all water supplies consist of borated coolant. If the core melt comes into contact with water, it can only be this coolant.

A1-152

Another operational measure to ensure sub-criticality is the extra borating system, which can be used when necessary to introduce borated water into the reactor coolant system and thus if necessary into the reactor cavity. The probability of retention of the core melt inside the reactor pressure vessel can be increased by the injection of water. If the reactor pressure vessel were to fail on account of a core melt, the melt could react chemically with the concrete of the reactor cavity. This concrete erosion by hot melt is reduced when the melt is covered by water. For this reason, the injection of water into the reactor cavity (via the reactor coolant system) or into the sump is of benefit. A coolable configuration is also feasible for slow accident transients and water coverage of the melt. No precisely specifiable cliff edge effects prior to reactor pressure vessel failure are known. It is evident however that every slowdown in the course of the accident has a clear, positive effect with regard to the grace period preceding failure of the reactor presure vessel and for concrete erosion. If heat removal is restored at an early enough juncture, further core destruction can be terminated. The "reactor containment venting" accident management measure is of special significance with regard to defending the integrity of the containment. No supply functions are necessary for implementation of this measure. Failure of the "filtered venting of the reactor containment" accident management measure for implementation was discussed within the framework of level-2 Probabilistic Safety Analysis. On account of the long grace periods and the possibility of correcting errors in implementation virtually any number of times, no failure due to human error is assumed. Except for atmospheric pressure measurement in the reactor containment, in this context no further instrumentation is necessary inside the containment to ensure defense against over-pressurization. This accident management measure can be implemented independently and if necessary in parallel in the two Units. In conclusion it can be stated that with a very high degree of probability, the robust reactor containment of KKP 2 in combination with the "filtered venting of the reactor containment” accident management measure and the passive auto-catalytic recombiners will withstand all the loads to be expected within the framework of an accident. The level-2 Probabilistic Safety Analyses have shown that no further measures for improving defense of containment integrity are necessary or practical with justifiable outlay. If loss of containment integrity occurs in the course of a serious accident with core melt, different systems could be used or measures implemented to reduce the release of activity, depending on the release path.

A1-153

The mitigative accident management manual for GKN I distinguishes between the possible release paths and provides assistance for their diagnosis. The diagnosis strategy is transferrable to KKP 2. In addition, measures are proposed for reducing release to the environment with measures as set out in the written plant operating procedures. If the heads of the fuel assemblies in the spent fuel pool are exposed, the containment prevents the release of radioactive nuclides to the environment. Under these circumstances, too, the auto-catalytic recombiners limit the hydrogen concentration inside the containment and withdraw the oxygen necessary for combustion. The shielding effect of water coverage in the spent fuel pool is of relevance only for the implementation of local accident management measures for alternative water supply to the pool, for which sufficient time is available. The same preventive measures as in the case of release from the RPV/reactor primary cooling circuit act for a radiological release from the spent fuel pool. Since it is generally viable to assume longer grace periods and an intact containment, there is little likelihood of a significant release to the environment. The loss of cooling of the fuel assemblies in the spent fuel pool can be detected with the existing instrumentation, progressing fuel-assembly damage after loss of cooling can be estimated with the aid of various measurements, comparable with an accident in power operation. The main control room can remain staffed in the event of an accident with core melt on account of the "filtration of Unit 2 main control room inlet air at high outside-air activity" accident management measure. In conclusion, with regard to minimization of activity release, it is to be noted that in the framework of the mitigative accident management manual for GKN I, scenarios with activity release to the environment were studied extensively. Strategies derived from these studies are in principle transferrable to KKP 2 and are available to the crisismanagement group. In this context many measures from the operating manual and the accident management manual that can reduce release to the environment when the systems are available were identified.

A1-154

Annex 1

13

KRB II / Gundremmingen Unit B and C

Brief Description of the Nuclear Power Plant A double unit nuclear power plant is located at the Gundremmingen site, which is equipped with two identically constructed boiling water reactors (BWR), Series 72, manufactured by Siemens KWU, each with a thermal output of 3840 MW. The two units are spatially separated and are structured completely independently of one another with regard to the control rooms and emergency control station, the safety system as well as essential operating systems. Only some of the auxiliary equipment, such as part of the nuclear ventilation with the corresponding cold water systems and systems for waste water and concentrate treatment or the conditioning of cooling tower make-up water are jointly used for both units. The Series 72 is the latest BWR series in Germany and continues to be one of the latest BWR series worldwide. The units are characterised by the following features: 

Reactor-internal coolant circulating pumps



In the case of a scram the control rods can be injected by means of a nitrogen cushion against any reactor pressure and can also be diversely driven with an electric motor.



A pre-stressed concrete containment with a low lying condensation chamber into which the water returns independently after incidents involving a loss of coolant within the containment (no pumps needed).



Three redundant, completely separated and independent process, electric and I&C redundancies (3 x 100%), each having an emergency cooling chain accommodated inside overflow-proof, separated compartments.



A retrofitted, independent, additional residual heat removal and feed water system (ZUNA) with a diverse heat sink by means of wet cell cooling towers and a diverse emergency power diesel ("station blackout diesels").

The main cooling water is re-cooled by a cooling tower assigned to the respective unit. The nuclear residual heat removal chains as well as the operating cooling circuits are directly cooled with water from the river Danube. In addition, the heat removal can be ensured via the ZUNA system by means of wet cell cooling towers. The units are designed to withstand all assumed external events such as earthquakes, air plane crashes, pressure waves from explosions, floods, extreme weather conditions etc. including the respective consequential effects. The spent fuel pool is located inside the reactor building, protected against all external events.

A1-155

Earthquakes Design The KRB II plant is designed to withstand a design earthquake with an intensity of IMSK = VII. The ground acceleration, (with reference to the building's foundation level) resulted in: Maximum horizontal acceleration:amax = 100 cm/s2 Maximum vertical acceleration:amax = 50 cm/s2 The method employed to ascertain the design earthquake is also considered conservative from today's point of view. This has also been confirmed by recent analyses. All structures that are relevant to safety in the case of an earthquake and all the necessary safety systems required to control possible earthquake-induced incidents are designed to withstand the design earthquake. This essentially involves the systems required to shut down the reactor and to maintain long-term subcriticality and systems to remove heat from the reactor pressure vessel, the condensation chamber, and the spent fuel pool as well as the emergency diesels to ensure the emergency power supply. The design of the KRB II plant to withstand earthquakes was carried out on the basis of the following boundary conditions: 

No availability of systems and plant components which are not designed to withstand the design earthquake (including the support systems not designed to withstand the design earthquake).



Loss of offsite power (loss of external power supply)



Non-availability of the main control room



No auxiliary measures from outside the plant within a self-reliance period of 10 hours

Design margins and robustness During an assessment of the seismic engineering parameters and the re-evaluation of the site-specific load assumptions by the Gesellschaft für Anlagen- und Reaktorsicherheit (GRS), the plant design was appraised as being conservative as a result of the employed design earthquake when compared to the original safe shutdown earthquake (SSE), which already results in distinct design margins. In addition there are large margins for the removal of stresses due to earthquakes of higher intensities. The probability of an earthquake-related failure of building structures and components relevant for the safety functions is so small even for an earthquake with an intensity of IMSK = VIII that the encountered stresses can be removed. A quantitatively relevant earthquake-related failure of individual components only occurs in the range of an intensity of IMSK = IX.

A1-156

Due to the design of the plant to cope with the design basis earthquake, neither emergency measures nor mobile equipment is required to protect against core damages or damages to fuel elements within the spent fuel pool. As a consequential effect of an earthquake, a fire is practically excluded due to the layout and the availability of passive or active fire protection systems. The loss of offsite power and additional losses of coolant are taken into consideration in the protection concept. Even in the event of earthquakes, which are two levels of intensity higher than the design basis earthquake, no large scale destruction of the infrastructure in the area of the site is expected. Thus personnel, supplies (fuel), and heavy equipment can be brought if necessary. Adequacy and overall assessment of the design As a result of the conservative design basis earthquake and the safety margins of one to two levels of intensity, there are sufficient design margins against earthquakes. A "cliff-edge effect" cannot be identified due to the reserves in the safety-relevant parts of the plant. Thus the design of KRB II is appropriate over and above what is required for a design basis earthquake, so that a breach of protection goals can be excluded due to the influences of an earthquake. Thus, there is no need for action to increase the robustness of the plant.

Flooding Design The KRB II plant is designed to withstand a 10,000-yearly flood according to KTA 2207 "Protection of nuclear facilities against floods". The normal damming height of the Danube is 429.62 m above sea level. The key data for a flood with regard to the achieved water levels compared to the design of the system are:

Annuality

Water runoff

Reached level

100 a

1390 m3/s

432.95 m above sea level

1.000 a

1590 m3/s

433.25 m above sea level

10,000 a design basis flood

2100 m3/s

433.33 m above sea level

Design

434.50 m above sea level

A1-157

The site of the power plant has been banked up on a height of 433 m above sea level. The safety relevant systems/buildings are designed to withstand a maximum flood level of 434.50 m above sea level as a result of permanent flood protection measures. The applied methodology for determining the design basis flood is conservative even from today's perspective. This was confirmed by recent studies. Design margins and robustness 

The existing design results in a difference of 4.90 m between the normal damming height and the maximum high water level, as well as a reserve of 1.17 m between the maximum high water level and the design basis flood.



A dam break at the Gundelfingen barrage at 434.5 m above sea level does not result in any impairments of the safety functions because of the topography and the fact that the buildings are situated at up to 434.5 m above sea level. A further hazard for KRB II due to a tsunami, storm waves, dam failure, etc. is not given because of the hydrological situations at the site with the drainage basin and the Danube river barrages taken into consideration.



Various operating regulations exist to warn against and limit the effects of flooding. KRB II is connected to the flood alarm service (Hochwassernachrichtendienst) and is notified immediately when certain water levels are exceeded. The plant must be shut down when the water reaches 433.5 m above sea level at the latest. Also, temporary flood protection measures will been constructed using sandbags and similar systems to ensure the accessibility and supply of resources as of a high water level of 432.5 m above sea level. Ingressing water will be pumped out of areas that have no relevance to safety.



Buildings with safety relevance are equipped with permanent flood protection and require no temporary measures. The accessibility to the control room, the reactor building, the control stations and the emergency power diesel buildings is still possibly even at a level of 434.50 m above sea level via the operational and social staff building.

Adequacy and overall assessment of the design 

With the described design of the plant against flooding, all possible effects, such as a damaged barrage, are taken into account according to today's level of knowledge, in which clear margins are existing.



In the case of doubling the runoff from a 10,000-yearly flood (433.33 m above sea level), the level only rises by another 42 cm. Taking into account the 1.17 m reserve between the 10,000-yearly flood and the plant design, there is still an adequate additional safety margin. The difference of 4.90 m between the normal impounding level of the Danube and flooding of 434.50 m above sea level used as the criteria for the design of the buildings represents such a high safety margin, that, after taking the profile of the terrain and the volume of removable water into account, the effects of flooding do not result in a threat for the safety of the plant KRB II.



A flood level greater than 434.50 m above sea level is not reasonably possible. Thus no "cliff-edge effects" exist and improving the robustness of the plant is not required.

A1-158

Extreme weather conditions Design The KRB-II safety concept to withstand extreme weather conditions is based on the conventional design of the building in accordance with DIN 1055, the design of the plant against external effects in accordance with the BMI (Federal Ministry of the Interior) safety criteria for events in terms of nature or civilisation, as well as the warning system of the German weather service (DWD). Historic weather observations and records from Bavaria were used to ascertain the weather conditions used as a design basis. The weather conditions used for the design of the plant are therefore based on the climate zone at the site. Since the operation of the plant, no extreme weather conditions have occurred within this climatic zone, which were on the edge of the design basis or even outside the design basis for the plant. The following key conditions were considered in the design: 

wind loads



low temperature and ice



high ambient and cooling water temperatures



low water levels



floods and extreme precipitation

Design margins and robustness As a result of the design of the safety relevant structures against external events, withstanding extreme weather from the outside represents a negligible stress that has already been taken into account as a result of the conventional building design in accordance with DIN 1055. Wind and snow loads: The safety relevant buildings have been designed to withstand explosion pressure waves. The loads from external explosions were added to the usage, wind and snow loads. This means that the design margins against wind and snow loads are clearly higher than what is required according to the rules of conventional construction. Low temperature and ice: All important safety systems and components are accommodated in enclosed spaces. These safety relevant buildings are largely screened off from external temperature influences by thick concrete walls. The arrangement of the components inside heated spaces and the return flow of warm water into the Danube ensures the auxiliary cooling water supply. Overflow structures are heated in order to ensure the draining of the auxiliary cooling water as well.

A1-159

An impairment of the additional residual heat removal system (ZUNA) is prevented as a result of the electrical heating in the corresponding parts of the system. The water reservoir is 4 metres deep and is covered by a concrete slab. In addition, the water in the reservoir can be circulated in bypass mode using the auxiliary cooling water pump. As a result of the design against external events, the arrangement of the systems with safety relevance within buildings or their location deep under the ground and auxiliary heating, sufficient reserves for the protection against effects due to low temperature and icing are existing. High ambient and cooling water temperatures: There are 8 chillers to cool the supply air for the reactor building and containment. Even in the very hot summer of 2003, only 5 of these machines had to be operated. In the case of the sub-control stations, switchgear building, auxiliary cooling water pump buildings and emergency power building, experiments showed that the maximum temperatures in these buildings were below the limit values specified in KT 3601 within 10 hours when the ventilation and cooling were switched off. The highest Danube temperature measured to date was 22.1°C in August 2003. The supporting documents to prove compliance with the maximum temperatures in the condensation chamber show a supply temperature of 28 °C. The heat removal operation with ZUNA is independent of the river water temperature. If the cooling performance of the spent fuel pool's cooling system should not be sufficient even with the two existing operational lines, the spent fuel pool can be cooled using one of the nuclear heat removal chains. High ambient temperature and cooling water temperatures are not essential for the removal of heat from the core or the spent fuel pool due to the above conclusions. Low water levels: The critical low water levels of 427.52 m above sea level will only be reached in the event that the Faimingen barrage is destroyed. In this case, countermeasures are available to ensure an increased inflow from the reservoirs located upstream, on the one hand, and to adjust the cooling water requirements so that they are as low as possible, on the other hand. In addition, the residual heat removal with ZUNA is independent of the river water level. Flooding and extreme precipitation: The effects of flooding are described in Chapter 3. Rain and hail do not represent a special stress. The structural properties of the outer perimeter walls prevents an impairment of the important safety equipment. Extreme snowfalls do not cause any special stress. Adequacy and overall assessment of the design A1-160

As a result of the design of the safety relevant structures and components against external events, extreme weather represents a negligible stress. Because of the auxiliary heating, intelligent arrangement and generous dimensioning, additional margins are available so that the nuclear power plant Gundremmingen can adequately and appropriately withstand extreme weather conditions. No additional improvements in the robustness with regard to extreme weather conditions are required.

Loss of electrical power Design KRB II is a double unit plant with a total of four main grid connections (two per unit). Electric consumers are supplied by the plant auxiliary power system which is either fed by the unit's own generator or by one of the main grid connections. Important consumers with safety relevance are supplied via a total of 12 emergency busbars. The power supply for the electric consumers is staggered as follows: -

Four main grid connections (two per unit, 380 kV) (one grid connection is sufficient to supply the power required for both units auxiliary supply).

-

In the case of a breakdown in the main grid connections, the supply is guaranteed by the main generator after load rejection to auxiliary station supply.

In the event load rejection to auxiliary station supply fails, the following possibilities are available to supply emergency power: -

The supply of emergency power via a connection to the 110 kV backup grid (other voltage level, other switching equipment, fed by another energy supplier) that is independent from the main grid connection.

-

Automatic supply of the 6 redundancy and 4 availability emergency bus bars through the emergency diesels (5 emergency diesels per unit with 4.8 MW each)

-

"Additional residual heat removal and feed water system" (ZUNA) with its own diversitary independent power supply per unit and cooling independent from the Danube via wet cell cooling towers.

-

Supply for 2 emergency bus bars (excl high pressure pumps) as part of the emergency measures via a 20 kV underground cable.

-

Various connection possibilities to the emergency bus bars belonging to the neighbouring unit, supply via the neighbouring unit or its emergency diesel units.

The emergency power supply of the 3 x 100% redundancies have been structured according to the residual heat removal trains they supply, are not intermeshed and function independently both as far as the machinery and the voltage supply is concerned. Two redundancies are designed to withstand external events. All the emergency diesels are designed to withstand flooding. The diverse ZUNA emergency diesels are designed to withstand earthquakes and flooding and are set up spatially separated from the other emergency diesels in view of an airplane crash. Each diesel generator has its own fuel storage tank which is designed according to its relevance for safety, so that A1-161

the engines can be operated without any manual intervention for at least 72 hours. No manual intervention to ensure the supply of lubricants etc. is required within this timeframe. In case of failure of all 10 emergency power diesels, the 24 volt DC voltage supply and the 220-volt batteries will cover the requirements for at least 2 hours as per the design (regulation requirement: 30 minutes). Design margins and robustness The supplying of the emergency bus bars can be extended to a maximum of 6 x 72 hours if the manual fuel saving measures are carried out in accordance with the operation manual when the emergency power diesels are in operation for longer periods of time. In the case of a loss of electrical power, the power supply is guaranteed for much more than 10 days, considering the time needed to initiate the measures and without application of ZUNA. Contractually, diesel deliveries have been agreed within 24 hours. No electrical power supply is needed for refuelling. Also, the fuel could be supplied from the refineries in the surrounding vicinity, if necessary. The batteries are charged constantly when the emergency diesels are in operation. In case of failure of all 10 emergency diesels, power is supplied for at least 2 hours by the DC voltage supply of the 24 volt and the 220 volt batteries as per the design. In practice, the times until the battery voltage drops below the approved consumer voltage is much longer. The battery calculations for the KRB II safety system show times of up to 13 h until the 220 V batteries are discharged and up to 8 hours for the 24 V batteries. This data is conservative as it takes a 10% age-related deterioration of the capacity into consideration. With emergency measures in the event of a complete failure of the emergency power supply (failure in the backup grid, emergency diesels and diverse ZUNA emergency diesel) the voltage supply can be restored by means of the 3rd grid connection (20 kV). The time required for the implementation of this measure falls within the grace period in which there is no impermissible heating of the core. In the case of a complete failure of all emergency measures to restore the power supply and ZUNA, the core cooling is ensured within a grace period of approx 15 minutes by means of water injection from the feed water tank for a period of several hours. Within this grace period, mobile pumps (hydrosubs) can secure the cooling of the core in approx 50 minutes. In the event the pressure in the containment is > 3 bar, filtered pressure relief (venting) of the containment can be initiated with manual actions in radiologically protected areas. The cooling of the spent fuel pool can be done in case of a failure of all safety systems using mobile fire fighting pumps available on the plant site. In the worst case (core full discharge), the grace period for this is 12 h. Adequacy and overall assessment of the design The plant KRB II is very well protected against a loss of power due to the staggered concept of emergency power supply. The various types of grid connections, high number of emergency diesels including their design to withstand external and internal A1-162

events as well as the mutual supply possibilities between both units demonstrate the extraordinary high robustness of the design. Thus, no “cliff edge effects” are to be expected in the loss of electrical power event. Thus the plant Gundremmingen is adequately designed to control the loss of electrical power.

Loss of the ultimate heat sink Design The cooling water at KRB II is supplied via a so-called intake channel. The withdrawal of auxiliary service water important for safety is done via 3 spatially separated and independent pump buildings, each of which serves one redundancy for both unit. In addition the independent and diverse ZUNA system, which is protected against external and internal events, is available to provide feed water and to remove residual heat. The ZUNA system has an independent power supply and an independent diverse heat sink by means of wet cell cooling towers. In case of a loss of the primary heat sink, heat removal is available for at least another 40 minutes by means of the operational systems. Subsequently, the heat removal from the reactor core and the spent fuel pool occurs via the ZUNA system. The evaporation losses in the cell cooling towers for the ZUNA system must be replaced after 10 hours. Various possibilities and water sources are available for this (ZUNA auxiliary water pump, mobile fire-fighting pumps available on the plant site and the use of water from the Danube or from a gravel lake). This way, long term cooling can be guaranteed even in the case of a loss of the primary heat sink. Design margins and robustness In the event that a failure in the ZUNA heat sink is additionally assumed, the core cooling will be handled after the operational cooling ceases by the high or low pressure feed pumps or the ZUNA feed pumps until the condensation chamber heats up to the extent that a potential pump malfunction also occurs. Within this period of time, core cooling can be ensured with mobile pumps (hydrosubs). Later on, the heat removal from the containment is achieved at a pressure of > 3 bar inside the containment (after approx 9 hours) via manually initiated, filtered pressure relief (venting). The cooling of the spent fuel pool is done with mobile fire fighting pumps. The grace period before reaching 80°C is approx 12 hours in the worst case (full discharge of the core). Adequacy and overall assessment of the design The threefold redundant auxiliary cooling water supply as well as the additional diverse heat sink, including its design to withstand external and internal events, demonstrates A1-163

the extraordinarily high robustness of the design. Neither "cliff-edge effects" nor damage to the fuel elements are expected because of the measures that can be initiated at consecutive levels, which continuously counteract further escalation, depending on the course of events. Thus comprehensive provisions have been taken against a loss of the ultimate heat sink. There is no need for further measures to increase the robustness.

Loss of the primary ultimate heat sink, combined with station blackout Design In the case on a loss of the primary heat sink and a hypothetically assumed loss of electrical power including the emergency power diesels at the same time, the removal of the residual heat from the reactor and the spent fuel pool are entirely ensured by the diverse, additional residual heat removal and feed water system (ZUNA). The ZUNA system is equipped with an independent power supply and an independent, diverse heat sink by means of wet cell cooling towers. In addition, the emergency measures required to restore the power supply will be carried out. Design margins and robustness In the event of an additional assumed failure of the ZUNA heat sink, the cooling of the core is passively ensured for hours after a grace period of 15 minutes by injection from the feedwater tank. Within this period, cooling can be ensured in about 50 minutes by means of mobile pumps (hydrosubs). During the further course of events, filtered pressure relief is performed manually when the pressure in the containment is >3 bar (after approx. 9 hours) from radiological protected areas. The cooling of the spent fuel pool is done with mobile fire fighting pumps. The grace period before reaching 80°C is approx 12 hours in the worst case (full discharge of the core). With regard to the grace period, great margins exist from design as do reserves as a result of the applied conservative verification methods. Actually, a temperature of 80°C is only expected after about 35 hours. Adequacy and overall assessment of the design The plant KRB II is well protected against a loss of the primary heat sink in combination with a station blackout as a result of the defence-in-depth concept for the emergency power supply and the threefold redundant auxiliary cooling water supply as well as the additional diverse heat sink (ZUNA). Both the power supply as well as the ultimate heat sink demonstrates an extraordinary high level of robustness in the design. Thus, no "cliff edge effects" are expected and the plant Gundremmingen is therefore adequately protected against the loss of the heat sink in combination with a station blackout.

A1-164

Further action is not needed.

Severe accident management Design As the 4th level in the defence-in-depth concept to ensure the safety of the plant accident management measures are foreseen at KRB II (plant-internal accident management). The emergency measures are applied condition- and protection-oriented depending on the course of events and the failure mode according to the accident action plan. The plant-internal accident management measures are carefully planned and described in the emergency manual. They are applied if the limits to ensure the protections goals cannot be met with the protection-oriented approach in the operations manual (accident action plan) or if there are persistent doubts about compliance with the protection goals. An emergency organisation is set up in the event of incidents and extraordinary events in the power plant, whenever necessary. The on-call duty staff, management staff, one operation controller or the full emergency organisation with all operation controllers and operational units will be deployed depending on the circumstances and the event. The emergency organisation of the intra-plant accident management is structured so that 

sufficiently qualified personnel is available,



external assistance (e.g. by AREVA crisis management group, Gesellschaft für Anlagen- und Reaktorsicherheit, National support organisations Technisches Hilfswerk and Kerntechnischer Hilfsdienst) is ensured,



sufficient technical equipment is available and can be used,



support with external technical equipment is guaranteed,



sufficient operational and auxiliary tools are available,



radiation protection is organised and



internal and external communication is ensured.



Situations that could complicate the conditions such as



extensive destruction of infrastructure,



aggravating radiological conditions,



aggravating conditions due to earthquakes or floods



unavailability of power supply



instrumentation failures

A1-165

have been taken into consideration In addition, a variety of preventive measures to ensure the integrity of the barriers, the cooling of the core and the spent fuel pool, as well as a variety of mitigative measures to limit the radiation exposure are available within the framework of the defence-indepth concept. Measures for beyond design events (mitigative emergency measures) are also described in the emergency manual. The creation of Severe Accident Management Guidelines (SAMG) have been launched to further optimize the effectiveness of the emergency management. Adequacy and overall assessment of the design The existing organisation to manage serious incidents at the nuclear power station Gundremmingen is appropriate and suitable to master events also beyond the design base while taking aggravating conditions into account.

Accident management measures for core cooling, to maintain the integrity of the containment, as well as to limit the activity releases into the environment Design Extensive accident management measures are available at KRB II within the framework of the defence-in-depth concept to ensure the compliance with the safety goals. The emergency measures are applied condition- and protection-oriented depending on the course of events and the failure mode according to the accident action plan and the emergency manual. The plant-internal accident management measures are applied if the limits to ensure the protections goals cannot be met with the protection-oriented approach in the operations manual (accident action plan) or if there are persistent doubts about compliance with the protection goals. In accordance with the defence-in-depth concept the plant-internal accident management measures are broken down into preventive measures to avoid fuel damage, into mitigative measures after the occurrence of fuel damage inside the reactor pressure vessel and into mitigative measures after a failure of the reactor pressure vessel. Global emergency measures exist for the mitigation of risks posed by hydrogen, to avoid the recriticality and to limit activity release. Preventive emergency measures to avoid fuel damages are high, medium and low pressure feed water injection in the reactor pressure vessel and the spent fuel pool (low pressure) by means of various system connections or mobile pump units. The removal of heat out of the containment is done by means of the venting system explicitly provided for such emergency measures.

A1-166

Mitigative emergency measures after the occurrence of a fuel damage in the reactor pressure vessel are the hydrogen removal system and the diverse, passive autocatalytic recombiners to prevent an ignitable hydrogen-oxygen mixture, as well as filtered pressure relief of the containment by means of the venting system to prevent an overpressure failure of the containment. The emergency measures act passively or require no electrical supply. With the emergency measures “pressure chamber flooding and spraying” the containment can be flooded to cool the reactor pressure vessel from the outside, thereby preventing its melt through. Following a failure of the reactor pressure vessel, additional mitigative emergency measures are used to flood the containment in accordance with the accident action plan and the emergency manual. This makes it possible to cover any molten mass that may have run out of the reactor pressure vessel. The hydrogen removal system, as well as the diverse, passive auto-catalytic recombiners are the emergency measures for the treatment of risks posed by hydrogen. The venting system is designed in such a way that no hydrogen explosions can occur inside. The boron injection system is provided to prevent re-criticality. Filtered pressure relief (venting) is the emergency measure foreseen to limit the release of activity. This can avoid a spontaneous loss of integrity of the containment and a related activity release. The dimensioning ensures the pressure limit of the containment to a pressure below its test pressure. The restraint system used within the pressure relief path for aerosols and iodine is designed in such a way that a restraining effect of >99% is achieved for elementary iodine and >99.9% for aerosols. Adequacy and overall assessment of the design A detection of beyond-design events is reliably provided by the available instrumentation; a sufficient number of highly qualified staff for the emergency organisation is available at all times. The grace periods for initiating accident management measures are adequate. Sufficient systems and components exist, which are designed in accordance with the requirements. The creation of a Severe Accident Management Guide (SAMG) has been launched to further optimize the effectiveness of the accident management. Therefore, the existing accident management measures to protect the population are appropriate. Further-reaching measures are not required.

A1-167

Annex 1

14

KKE / Emsland

Brief Description of the Nuclear Power Plant The Nuclear Power Plant Emsland (Kernkraftwerk Emsland or KKE) consists of a single-unit power station and is located at the river Ems in the region of the city of Lingen (Ems), district of Darme, in the county of Emsland in the administrative district of Weser-Ems. The nuclear power plant in question is a Konvoi model pressurised water reactor (PWR) manufactured by KWU (Kraftwerk Union) with a reactor core comprising of 193 fuel elements. The plant is a 4 loop plant with four steam generators, four train, spatially separated safety systems, (e.g. 4 residual heat removal systems, 4 emergency diesel units) as well as four additional emergency diesel units, which are protected against external hazards. The reactor has a thermal output of 3850 MWth, from which a gross amount of 1400 MWel of electrical power (1329 MWel net) is produced by using one high pressure and two low pressure turbine sections. The cooling is provided via a natural draft cooling tower, the water is supplied from the river Ems. The reactor building encloses the safety-related plant components and was constructed of strong reinforced concrete. Inside the reactor building, there is a containment made of steel several centimetres in thickness, designed as a full-pressure containment which encloses the primary circuit (consisting i.a. of the reactor with the connected piping and the main coolant pumps), with the steam-generators as well as the spent fuel pool. The nuclear power plant Emsland was put into commercial operation on 15.7.1988 and has generated around 11 billion kWh of electrical energy per annum since then, and is able to supply about 3.5 million households with power. The licensee of the Emsland nuclear power plant is Kernkraftwerke Lippe-Ems GmbH (Sahres held by RWE Power AG: 87.5%, EON Kernkraft: 12.5%). The probabilistic safety assessment (PSA) carried out to date in accordance with the BMU Guidelines as part of the periodic safety inspections shows Level 1 PSA values for the Nuclear Power Plant Emsland, which are clearly far below the target value for the core damage probabilities of plants in operation (< 1E-4/a) issued by the IAEA. The ascertained values are even already lower than the values recommended for evolutionary reactors (1E-5/a). The results of the Level 2 PSAs show very low probabilities for a large, early release of fission products of 2.2E-8/a for the Nuclear Power Plant Emsland. Overall, the findings of the Level 1 and 2 PSAs confirm that the Nuclear Power Plant Emsland has a well balanced safety concept and exhibits a very high level of safety.

Earthquake The design of the Nuclear Power Plant Emsland was based on a 100,000-yearly earthquake with an intensity of VII on the MSK scale and a maximum horizontal ground acceleration of 1.2 m/s² (design basis earthquake).

A1-168

As part of erecting the site interim storage facility in 2002, the independent expert appointed by the nuclear authority, the Bundesanstalt fuer Geowisenschaften und Rohstoffe (BGR or Federal Institute for Geosciences and Natural Resources) confirmed these requirements for the Lingen site were conservative. A recent assessment was carried out in February 2011 by the BGR according to the criteria now also prescribed in KTA 2201.1 (Nov. 2010) confirming that the seismic engineering parameters reflect the state-of-the-art of science and technology. All the safety-related buildings and systems are designed to withstand the design basis earthquake so that neither emergency measures nor mobile equipment are needed for its control (in principle, the loss of offsite power is assumed in this case). Therefore important supplies (fuel for the diesels, demineralised water to supply the steam generators, borated water) are also accommodated in the protected buildings. Damage to buildings and systems not designed explicitly against earthquakes cannot be ruled out. It is however guaranteed that such damage - should it occur - will have no effect on the systems used to safely shut down the plant. Only slight effects are expected in the surrounding areas in the event of the design basis intensity on the site, with no effect on the grounds themselves in particular. However, general precautions have been put in place against limited accessibility; so, for example the diesel supplies have been designed to be self-sufficient for at least 72 hours. As part of the permit, the licensee is legally required to demonstrate by means of periodic inspections that the essential plant properties for the safety of the plant as well as safety and barrier functions are in place and that the quality and effectiveness of the safety-related measures and facilities are guaranteed. With regard to the earthquake resistance, e.g. periodic visual inspections are therefore performed on the supports of piping and components or the earthquake instrumentation is tested on a recurring basis. This ensures that the plant complies with the licensing basis. Due to the conservative design in the Konvoi series against the effects of earthquakes substantial reserves can be identified, to preserve the safety functions and integrity of the containment with regard to stresses arising from the design basis earthquake for the Nuclear Power Plant Emsland . As the site of the Nuclear Power Plant Emsland is considered to be absolutely floodfree (also see next section), a beyond design basis flooding of the power plant site as a result of an earthquake is considered as physically impossible. As a result of the demonstrated high degree of robustness of the plant, far-reaching reserves exist to control earthquake events. There is, therefore, no need for system changes or additional provisions in this respect.

Flooding The Nuclear Power Plant Emsland is located approximately 600 m away from the river Ems. The level of the design basis flood for the site is 24.55 m above sea level. The reactor complex is located at an elevation of 31.15 m above sea level. Due to the topographic location, the site is considered to be flood-free.

A1-169

The value for the design basis flood was deterministically ascertained using historical data. An examination by the operator in accordance with KTA 2207 confirmed the value for a 10,000-yearly flood to be 24.6 m above sea level. The auxiliary cooling water supply comes from two spatially separated inlet structures on the river Ems. The service floors of the auxiliary cooling water pump buildings are 24.8 m above sea level and are therefore above the design basis flood. In the event of a beyond-design-basis flood accompanied by the flooding of the auxiliary cooling water pump structures, the safe removal of the decay heat is guaranteed via the cell cooling towers. Temporary flood control measures are not necessary due to the high altitude of the site. The access to the high-lying nuclear power plant site is not affected even when water levels exceeds the design basis flood. The operational readiness of all mobile devices and supply functions, which are on the power plant site, is thereby also ensured. Since the site is considered flood-free, no plant changes or improvements of protection against flooding are required.

Extreme weather conditions Stresses from following extreme weather conditions were taken into account in the design of the Nuclear Power Plant Emsland: 

Wind and snow loads,



High and low ambient temperatures (water and air),



Low water level and biomass accumulation in the water supply,



Lightning and effects of severe weather.

In principle, combinations of several external effects as well as combinations of these effects with incidents have been taken into consideration in the design of the plant components, as far as the simultaneous occurrence due to probability and the extent of loss have to be taken into account. Especially the following causally related effects have been taken into account here: 

Combinations of effects due to earthquakes or floods,



Combination of the effects of heavy rain, storm and lightning during severe weather,



Combination of the effects of ice and snow, low temperatures with a storm or low temperatures with ice and snow,



Combinations of effects of low or high temperatures with a low water level in the outlet channel.

Other combinations were excluded on the basis of having no causal connection.

A1-170

There are high margins against influences from extreme weather conditions due to the design of the safety-related structures, systems and components against mechanical stresses from earthquakes, explosion pressure waves and airplane crashes. Because of the positive results of the extensive study of extreme weather conditions, including possible combinations, the protection of the plant is evaluated as being appropriate. A further increase in robustness is therefore not required.

Loss of electrical power As a result of the diversity of the grid connections (400 kV, 110 kV, 10 kV), extensive precautions have been undertaken for the Nuclear Power Plant Emsland, so that the plant can continue to be or again be supplied with power from an external source even in the event of malfunctions in individual external grids. In addition, the plant is equipped with own versatile, multiple redundant and diverse emergency power supply systems. All the events postulated in the EU stress test which have to be examined and which cover also extreme unlikely beyond design events, will be controlled by the plant, even in the long term, so that no fuel damages in the reactor core or the spent fuel pool will occur. As precautionary measures various permanently installed, multiple redundant and diverse emergency diesels and complementary emergency measures are available in accordance with the defence-in-depth concept. The fourfold redundant emergency feed diesels (4 x 50%) which are protected against external events are used to cover the failure of the also fourfold redundant emergency diesels (4 x 50%). This design was selected to cover failures of all emergency diesels, which is termed to 'Station Blackout' in the IAEA-definition. The existing fuel supplies for the respective diesel generators at the power plant site guarantee such a long period of operation (in the range of days) that external refuelling can be secured, even in view of the aggravating constraints defined by ENSREG which make the access to the nuclear power plant more difficult. The battery systems used in the plant are already designed for an operation duration of more than 2 hours on the basis of the available battery capacity and can be extended significantly by relief measures (e.g. disconnection of components which are not required). It should be noted that the power supply of the required safety systems is ensured both for all natural events relevant to the location as well as in the event of an air plane crash or an explosion pressure wave. In addition to the plant’s internal emergency power facilities, the Koepchenwerk hydroelectric power station and black-start capable topping gas turbines in the adjacent gas power plant Emsland (expected completion in 2011) are available to supply the power for the Nuclear Power Plant Emsland in the event of a total loss of the external grid.

A1-171

Because of the outlined extremely high level of robustness of the Nuclear Power Plant Emsland to guarantee the supply of electrical power, and even after taking into account the anticipated triggering events such as earthquakes, floods and extreme weather conditions, there is no need for measures to increase the robustness. This applies in particular in the context, that the fourfold redundant and against man made hazards (air plane crash, explosion pressure wave) protected emergency feed diesel generators are able to handle the loss of the also fourfold redundant emergency diesels.

Loss of the primary heat sink In case of a failure of the outlet channel, the heat removal is still possible via the cell cooling towers over a very long, almost unlimited period of time regardless of the previously present plant status, even with limited staff availability. Several diverse sources (e.g. cooling tower water basin, object protection trench, drinking or raw water) and equipment (e.g. emergency power supplied permanently installed or portable fire fighting pumps) can be used to replenish the evaporation or vaporisation water quantities for the cell cooling towers. In case of a loss of the outlet channel and the fourfold redundant cell cooling towers, the fourfold redundant secondary, diesel-supported emergency feed water supply of the steam generators with heat removal by means of the atmospheric steam dump station is available to remove the residual heat from the primary circuit. The removal of the decay heat from the spent fuel pool is done in the long-term by means of evaporation or vaporisation, whereby the water losses can be made up by means of normal operating systems or fire-fighting equipment. As sufficient water resources are available and also the demineralised water pumps are available regardless of the auxiliary cooling water supply, the long-term removal of the decay heat is guaranteed. Due to the existing diverse heat sinks, the Nuclear Power Plant Emsland is robustly protected against the loss of a heat sink. In case of a complete loss of all heat sinks there are additional emergency measures in place, which can be performed without support from the outside in protected and secured areas of the buildings. Therefore no further increase in robustness is required.

Loss of the primary heat sink, combines with Station Blackout As shown in 0.7, the ‘Station Blackout’ in accordance with the IAEA definition will be handled by the fourfold redundant emergency feed diesel generators (emergency power system D2) at the Nuclear Power Plant Emsland. Thus, the power plant can be shut down and cooled in accordance with the operation manuals. The loss of the primary heat sink together with a Station Blackout will be handled completely by the plant as part of its design. No measures are required to improve the robustness.

A1-172

Severe accident management Plant-internal accident management means the totality of all the measures undertaken in a nuclear power plant to identify and control beyond design incidents, i.e. system states or event sequences that are unforeseen or are not controlled by the design, and to effectively limit their impact inside and outside the plant. This means that first of all we have to assume a multiple failure of the redundant, diverse and separate safety systems that are intended and designed for the control of plant malfunctions and incidents. Emergency measures are then used to restore the plant to the safe state to ensure the compliance with the basic safety goals (see 0.2.1). These can be broken down into damage prevention and damage limitation (mitigation) measures. The emergency measures prepared for the Nuclear Power Plant Emsland are designed first of all to guarantee the compliance with the safety goals and to minimize the impact of events, also in the case of potential core damage. To do this, written instructions and concepts are available on how to restore the supply of power and cooling water, how to feed the steam generators, how to flood the reactor core and the spent fuel pool, and how to maintain the barriers. The emergency protection planning includes the formation of organizational units and the provision of technical facilities to ensure effective coordination of the emergency measures, provide comprehensive information to the public and the support of the civil protection authority in reaching decisions on measures for protection of the public. The shift staffing during normal operations always ensures that there is sufficient availability of expert staff to perform the required initial emergency measures in the event of an emergency without any external support. In addition, the emergency manual specifies an emergency organisation consisting of an emergency response team and other operational units, which can be notified via an alarm system on short notice. A variety of diverse means of communication are available for this purpose; their function is guaranteed even in case the infrastructure is largely destroyed. Alerting the emergency response team with the operational units and standby staff is practiced regularly during emergency response exercises. The availability, sufficient number of resources and time needed to deploy the standby staff is regularly checked during these exercises. When assessing the emergency organisation's ability to act, aggravating conditions regarding the accessibility to the nuclear power plant and the radiological situation are taken into account, while appropriate countermeasures are in place (e.g. alternative locations for operation centers). All relevant emergency equipment located on-site at the Nuclear Power Plant Emsland is tested periodically for completeness by using inspections on a recurring basis. In addition, firm arrangements exist with suppliers for external technical assistance (such as the plant manufacturer's emergency team, Kerntechnischer Hilfsdienst GmbH, the provision of fuel and supplies, etc.). The goal-oriented implementation of emergency measures is possible even in a case of loss of power. Instrumentation including radiological data acquisition is available A1-173

which makes it possible to identify the plant status even under core damage conditions (even after temporarily loss of power or auxiliary media) and to provide the information required for emergency measures. The investigations, as well as the review processes, show that the procedures for prevention and mitigation of core damages are adequate, comprehensive and suitable. The accessibility and usability of areas of the plant (control room, emergency control room, emergency response facilities, local control and measuring points) is still given even under difficult conditions in accordance with the statutory provisions, and especially the Radiation Protection Ordinance (Strahlenschutzverordnung). The preparation of a manual for mitigative incident handling (SAMG or Severe Accident Management Guideline) has been launched to further enhance the effectiveness of the severe accident management.

Accident management measures for core cooling, to maintain the integrity of the containment, as well as to limit the activity releases into the environment All measures supporting the decay heat removal from the fuel elements are seen as preventive means to avoid fuel damages. Sufficient quantities of coolant in the nuclear reactor pressure vessel and the spent fuel pool as well as an available heat sink are the key requirements in this context. The concept of the emergency manual requires to carry out the measures for relieving the pressure in the steam generators and feeding into the pressureless steam generators as a priority (secondary bleed and feed). The aim is to establish a backup feed water supply with a mobile pump or the inventory of the feed water tank in the case of a complete failure of all operational and safety systems to feed in the steam generator. In doing so, sufficient cooling is secured by heat removal via the atmospheric steam dumping stations. The emergency procedure to ensure sufficient quantities of coolant is to open the pressurizer valves to lower the pressure in the primary circuit so that the emergency cooling systems/accumulators are able to refill the primary circuit (primary bleed and feed). The available water resources for this procedure are highly borated so that sub-criticality is assured. In the case of an assumed failure of the previously described preventive measures, mitigative measures will be applied to protect the integrity of the containment, consisting of the passive recombiners for hydrogen reduction and the release of pressure (venting) before reaching the failure pressure as well as the filtering of the venting flow. These measures are effective even if fuel elements are already damaged or the reactor pressure vessel has failed. The active hydrogen monitoring and limitation system detects the release of hydrogen inside the containment and restricts the increase of its concentration by mixing and recombining. In addition, 58 passively operating autocatalytic hydrogen recombiners are installed in the containment, which limit the concentration of hydrogen and depletes it in the medium term. A1-174

The objective of the emergency measure for the filtered pressure relief is to restrict the pressure build-up inside the containment while simultaneously minimising the radioactive effects on the environment. There are retaining devices (Venturi washers and metal fibre filters) for aerosols (level of separation ≥ 99.99%) and iodine (levels of separation for elementary iodine ≥ 99.0% and for organic iodine ≥ 90%) within the pressure relief line. To assess the release of radioactive substances, there is a system for taking samples from the containment in the event of an accident. A spontaneous loss of integrity in the containment and an associated release of the activity can effectively be avoided by using the filtered pressure relief. The spent fuel pool is located inside the containment, so in the case of assumed damages, the above mentioned measures to limit the hydrogen and to confine the radioactive substances inside the containment are effective. Additional emergency measures which primarily focus on the feeding of coolant are also available to ensure the removal of decay heat and sub-criticality within the spent fuel pool. Due to the large water volume in the spent fuel pool, there is considerable time for implementation of these measures. Due to the usable instrumentation and its incident-proof design, detection of any beyond design event is ensured. Due to the installed standby and alerting services, sufficient staff is available for deployment when necessary. All relevant activities can be carried out in suitably shielded areas, so that they can be executed even in the event of increased dose rates. The existing emergency procedures can therefore be regarded as being appropriate. Further measures will be considered in the framework of preparing the Severe Accident Management Guideline (SAMG).

A1-175

Annex 1

15

KWB-A/B / Biblis Unit A and B

Brief Description of the Nuclear Power Plant The Biblis site is located in the northern part of the Upper Rhine Rift running from south to north in the transitional area towards the Mainz Basin on the right shore of the River Rhine between the kilometre markers 454.4 and 455.8, directly behind the flood dam. A twin-unit power station (Biblis A and Biblis B) was built on the site. Both units are pressurised water reactors built by the manufacturer KWU (Kraftwerk Union). The units are only slightly different. Both units are four loop systems with 4 steam generators, with a four-train (4x50%) safety system for heat removal, and employ a reactor core with 193 fuel elements. The thermal reactor capacity is 3.540 MW (unit A) or 3.733 MW (unit B) producing a net amount of 1,146 MW or 1,240 MW respectively by means of one high-pressure and three low-pressure turbines. The cooling water supply is from the River Rhine. The reactor building and the auxiliary plant building enclose the plant equipment essential for the operation and its safety. Both buildings are constructed of ferro concrete (reinforced concrete). Inside the reactor building, there is a containment made of steel several centimetres in thickness, designed as a full-pressure containment. The containment encloses the active, high energy pipework (such as the primary circuit coming out of the reactor with connecting pipes and the main coolant pumps) as well as the steam generators, and the fuel element cooling pool for spent fuel elements. Biblis A commenced its commercial power operation in February 1975, followed by Biblis B nearly two years later in January 1977. Together Biblis A and B have produced more than 512 billion kWh (gross) in electrical energy since its commissioning. The licensee of the Biblis A and B nuclear power stations is RWE Power AG, headquartered in Essen. The probabilistic safety assessment (PSA) carried out to date in accordance with the BMU Guidelines as part of the periodic safety review shows level 1-PSA values for Biblis A and B, which are clearly far below the target value for the core damage probabilities for operational plants (< 1E-4/a), as issued by the IAEA. The ascertained values are already in the range of values recommended for evolutionary reactors (1E-5/a). The findings also confirm the safety concept is well balanced with regard to the system and plant technology employed at the site. Level 2 PSAs (area exceeding the design criteria) were carried out for both units; their results underline the high safety level of the plant and equipment. For unit B, the ascertained value of < 1E-09/a shows a very low probability of major, early releases of fission products. The expected result of the Level 2 PSA for unit A is of the same order of magnitude, in comparison with unit B; as of 30 June 2011 (cut-off date for the EU Stress test), the analysis was not yet fully completed.

A1-176

Earthquake When erecting the Biblis nuclear power plant, an earthquake with an intensity of I = VII to VIII on the MSK scale and a maximum horizontal ground acceleration of 1.5 m/s² was used as a basis. The exceedance probability was subsequently ascertained to be 2.0 E-5/a. In 2000, the responsible regulatory authority required the use of earthquake spectra that were ascertained in 1999, which however retained the site intensity and exceedance probability. For the permit to erect the site intermediate storage facility, the so-called Eco Spectrum was applied and was confirmed as being conservative for the Biblis site by the surveyor appointed by the nuclear authorities, the Federal Institute for Geosciences and Raw Materials (Bundesanstalt für Geowissenschaften und Rohstoffe). A current assessment was also carried out in November 2010 according to the criteria required by the KTA 2201.1 (Nov. 2010), which judged all previously identified design fundamentals as valid and very conservative. All the safety-related, important buildings and systems are designed to withstand the earthquake upon which the construction was based so that neither emergency measures nor mobile equipment are necessary to bring it under control (in principle it is assumed there will be an emergency power situation). Therefore important supplies (fuel for the diesel, deionised water to supply the steam generator, borated water) are also accommodated in the protected buildings or in underground tanks. Damages in systems that are not explicitly designed to withstand earthquakes cannot be excluded; it is possible to assume, however, that such damages, if they occur, will not have any effects on the systems used to safely shut down the plant. Only slight effects are expected in the surrounding areas in the event of the rated earthquake intensity on the site, with no effects on the grounds themselves in particular. However, general precautions have been put in place against limited accessibility; so that sufficient road clearing equipment and diesel supplies are available for selfreliance for at least 72 hours. As part of the permit, the licensee is legally required to demonstrate that the essential plant properties and safety and barrier functions are in place for the safety of the plant through regularly recurring checks and that the quality and effectiveness of the safetyrelated measures and facilities are guaranteed. With regard to the earthquake resistance, recurring visual inspections are therefore performed on the pipework hangers and components and the earthquake instrumentation is tested. This guarantees that the plant and equipment is in compliance with the approved conditions of operation. Due to the conservative global design requirements against the effects of earthquakes, substantial reserves can be identified to preserve the safety functions and integrity of the reactor containment with regard to the stresses caused by earthquakes. As a result of the permanent flood control measures and the topography of the surrounding area (backfilling to 91.00 m above sea level, also see next section), flooding which exceeds the design criteria as a result of an earthquake is considered a physical impossibility.

A1-177

Far-reaching reserves exist to control occurrences as a result of an earthquake due to the specified high degree of robustness of the system. Therefore, there is no necessity for any equipment or plant modifications or additional precautionary measures.

Flooding The nuclear power plant grounds in the area of the unit equipment was elevated as a permanent protection against flooding by backfilling to an elevation of 91.00 over sea level and is therefore clearly about 3.50 m higher than vast parts of the flat surrounding area. The design of the safety-related buildings of the Biblis plant was carried out on the basis of a flood with an exceedance probability of 10-3/a (so-called 1,000-year floods), representing a Rhine water level of 92.5 m above the sea level. Up to this level, the safety-related buildings are equipped with flood control measures (building construction or insulating panels). The current design guidelines against flooding according to KTA 2207 require plants be designed to withstand flooding with a probability of 10-4/a (so-called 10,000-year floods) and allow the retention on site and in the catchment area to be taken into account in the calculation. On this basis the design flood for the Biblis plant was ascertained to be 91.50 m above sea level in the context of approving the site intermediate storage facility in 2003. In addition, a water level exceeding 91.50 m above sea level was not considered a possibility during the aforementioned approval procedure. This was again confirmed by a recent report this year. The design flood ascertained in this way can be used for the complete Biblis nuclear power plant. Thus the Biblis plant can handle 10,000 year floods with a safety margin (freeboard) of at least 1.00 m for the vital plant structures and equipment. A flooding of the nuclear power plant grounds can be excluded in the event of overflowing or breached dykes due to the clearly lower-lying, large-scale retention areas on both sides of the River Rhine. In the event of a large-scale flooding of the retention areas with relevance for the surrounding infrastructure, precautionary measures are in place, to secure the availability of personnel and supply the equipment and plant.

Extreme weather conditions The following external influences due to nature, in addition to earthquakes and flooding, were taken into consideration in the design of the equipment and plant: 

Wind and snow loads as service loads in accordance with DIN 1055



High ambient temperatures



Low ambient temperatures / ice



Low water levels



Biological phenomena A1-178



Flotsam near the power plant intake structure



Occurrence of biomasses



Lightning

To counteract these influences, effective measures are in place to ensure compliance with the applicable protective objectives for the respective influences. Causal combinations of nature-related influences from the outside were taken into consideration or are covered by other design parameters. Other natural external influences are not relevant to safety for the Biblis site. This is confirmed by the findings of the performed safety tests as well as the ongoing supervision by the relevant authority. There are no such deficiencies in the equipment and plant at this time.

Loss of electrical power Because of the spatial separation and with regard to the voltage levels of the diverse mains connections (380 kV, 220 kV, 20 kV), extensive measures are in place for the Biblis nuclear power plant so that both units can continue to be supplied with power, even in the event of malfunctions in individual external networks, or that they can be supplied with power externally. In addition, the units also have a variety of their own multiple redundant emergency power supply systems and the possibility of being supplied with power by the neighbouring unit. All the events postulated in the EU stress test and occurrences which have to be examined, and which cover extremely unlikely accidents beyond the design, will be handled by the plant even in the long term, so that no fuel element damages in the reactor core or in the fuel element pools can occur. The various fixed multiple redundant and diverse diesel emergency power aggregates and complementary emergency measures in accordance with the layered safety concept come to fruition here as plant engineering measures. The complete breakdown of the four train redundant emergency diesel (4 x 50%) for a unit will be managed by employing the possibilities of supplying boric acid, emergency feed water and electrical energy between the two units by means of the emergency system. Because of this design, the loss of the emergency diesel in a unit, which is termed a Station Black-Out in accordance with the IAEA definition, will be managed safely. The existing fuel supplies for the respective diesel generators at the power plant site guarantee such a long period of operation that considerable time in the order of days remains before the need of refuelling, even in view of the aggravating constraints defined by ENSREG which make the access to the nuclear power plant more difficult. The required staff is always available at the plant as shift-working staff. No external staff or external mobile facilities are required.

A1-179

The battery systems used in the plant are already designed for a running time of more than 2 hours on the basis of the available battery capacity, which can be extended by using relief measures (e.g. switching off unnecessary components). In the event of a total mains loss and breakdown of all the internal emergency power facilities (8 emergency diesel generators), the hydro-electric power station Vianden (black start capable) or the lignite-fired power plant Niederaußen are available to supply the power for the Biblis nuclear power plant. Because of the outlined extremely high level of robustness of the Biblis nuclear power plant to safeguard the supply of power, there is no need for measures to increase the robustness, even when taking into account the anticipated triggering events such as earthquakes, floods and extreme weather conditions.

Loss of the ultimate heat sink A scram occurs automatically in the event of the non-availability of cooling water supply. The residual heat is dissipated via the secondary side to the atmosphere. As a result of a lacking supply of cooling water, the emergency feed water pumps are not available. In this case, the additional feed water system is available to feed the steam generators. It is activated automatically. The two units each have their own, separate cooling water intake. In the event of a failure in the cooling water supply for one unit, the supply of water required to dissipate the heat is backed up through the neighbouring unit. If both units are affected, the heat removal is handled with the help of the additional, independent secondary feed system. Furthermore, emergency measures are available in both units to feed the steam generators using mobile pumps. As an alternative heat sink to the secondary cooling water, the fire-fighting system can additionally be used in both units to cool the pool and for the long-term heat removal from the primary circuit with the emergency after-cooling pump. There are no time restrictions for the availability of the fire-fighting system. The fire-fighting system is continuously available and goes into operation without any time delays when necessary. Even without the fire-fighting system as an alternative heat sink, the decay heat capacity of the plant can be dissipated into the atmosphere via the steam generator fed by using the additional secondary feed system or by using mobile pumps as part of an emergency measure until the stationary facilities take over long term. Various wells on the plant site or natural water reservoirs in the surrounding area (e.g. Rhine, artificial lakes) are available as sources to feed the steam generators and to cool the fuel element pool as emergency measures. During the implementation of the above measures, no core damage occurs in the event of losing the secured secondary cooling water. A further increase in robustness is not required.

A1-180

Loss of the ultimate heat sink in the event of a station blackout For the definition of "station blackout", the IAEA Safety Guide NS G 1.8 is used: “A Station Blackout is the complete loss of the alternating current supply from the external network, from the generator and from the emergency power systems. It does not include a breakdown in the uninterruptible alternating current supply or a breakdown in the alternative alternating current supplies.” Therefore the "station blackout" at the Biblis power plant can be completely handled at one unit by the other unit, according to the above definition. The resulting case corresponds to an "emergency power incident and a breakdown of the normal backup a.c. source" (see section 0.7). In the event that a "station blackout" occurs in both units, this will not result in any new aspects that go over and beyond those that were already dealt with in the previous section as a result of the combination with the loss of the primary heat sink.

Severe accident management "Intra-plant emergency response" means the totality of all the measures taken at a nuclear power plant to identify and control event processes exceeding the design, i.e. being able to recognise system states or event processes that are unforeseen or are not controlled by the design, and to effectively limit their impact inside and outside the plant as soon as possible. This means that first of all multiple failures of the redundant, diverse and spatially separated safety systems are assumed, that are intended and designed for the control of plant malfunctions and breakdowns. Emergency measures are then used to restore the plant to a safe state to safeguard the basic safety objectives. These measures can be divided in damage control (prevention) and damage limitation (mitigation) measures. The emergency measures prepared for the Biblis nuclear power station are designed so that they primarily will guarantee the safety objectives and minimize the impact of events, even in the case of potential damage to the core. To do this, written instructions and concepts are available in accordance with the emergency manual on how to restore the supply of power and cooling water, how to feed the steam generators, how to flood the reactor core and the fuel element pool, and how to maintain the barriers. The emergency protection plan includes the formation of organizational units and the provision of technical facilities to coordinate emergency measures, provide comprehensive information to the public, and support the disaster control agency when deciding on measures to protect the population.

A1-181

The shift staffing during normal operations always ensures there is sufficient expert staff available to perform the initially required emergency measures in the event of an emergency, without requiring any external support. In addition, the emergency manual specifies an emergency organisation consisting of an emergency team and other operational units, which can be notified via an alarm system in a short period of time. A variety of diverse means of communication are available for this purpose; their function is guaranteed even in case the infrastructure is largely destroyed. Alerting the emergency staff, deployment units and standbys is practiced regularly during emergency safety exercises. The availability and sufficient level of manpower and time required to deploy the standbys are regularly checked at that time. When assessing the emergency organisation's ability to act, the fact that the accessibility to the nuclear power plant is more difficult and the radiological conditions are difficult is taken into account, although appropriate countermeasures are in place (e.g. backup rooms in deployment zones). All relevant emergency equipment located on-site of the Biblis nuclear power station is tested periodically for completeness by using recurring tests. In addition, dedicated arrangements exist with suppliers for external technical assistance (such as the plant manufacturer's emergency team, Kerntechnischer Hilfsdienst GmbH, the provision of fuel and supplies, etc.). The implementation of emergency measures is possible even if the supply of power fails. Instrumentation including radiological test data recorders is available which makes it possible to identify the system status even under core melting conditions (even after temporarily losing power or ancillary media) and to supply the information required for emergency measures. The investigations show that the preventive procedures and the mitigative processes for core damages are adequate, comprehensive and suitable. The accessibility and usability of areas of the plant (control rooms, emergency control centres, emergency safety facilities, local control and measuring points) is still available even under difficult conditions in accordance with the statutory provisions, and especially the Radiation Protection Ordinance (Strahlenschutzverordnung). The preparation of a manual for mitigative incident handling (SAMG or Severe Accident Management Guideline) has been launched to further enhance the effectiveness of managing an emergency.

Emergency measures for core cooling, to maintain the integrity of the containment, as well as to limit the activity release into the environment All the measures that lead to the fact that the decay heat in the fuel elements can be dissipated are seen as preventive means to avoid fuel element damages. Sufficient quantities of coolant in the nuclear reactor containment and the fuel pool as well as an available heat sink can be shown as major variables here, to name just a few. The concept of the emergency manual requires measures for the relief of pressure in the steam generators and feeding into the pressureless steam generator to be carried A1-182

out as a priority (secondary bleed and feed). Thus, the goal is pursued of using the content of the feed water storage take or setting a replacement feeder with a mobile pump into motion in the event of a complete failure of all operational and technical safety systems which supply the steam generator. Sufficient cooling is secured this way by dissipating the heat via the atmospheric steam dumping stations. The emergency procedure to ensure sufficient availability of coolant is to open the pressure retention valves to lower the pressure in the primary circuit far enough that the emergency cooling systems/accumulator tanks are able to refill the primary circuit (pressure relief and feed on the primary side). The water resources available for this are highly borated so that the subcriticality remains assured. In the case of the assumed failure of the previously described preventive measures, the mitigative measures will intervene to protect the integrity of the reactor's containment; these consist of the passive recombiners for hydrogen reduction and the release of pressure prior to reaching the failure pressure (venting) as well as the filtering of the venting flow. These measures are effective even if the fuel elements are already damaged or the reactor containment has suffered a functional failure. The active hydrogen monitoring system detects the release of hydrogen inside the reactor containment. In addition, 91 (unit A) or 77 (unit B) passively operating autocatalytic hydrogen combiners are installed in the reactor containment, which limit and reduce the concentration of hydrogen in the medium term. The objective of the emergency measure for filtered pressure relief is to restrict the pressure build-up inside the reactor containment while simultaneously minimising the radioactive effects on the environment. Filtering units for aerosols (level of separation ≥ 99.0%) and iodine (levels of separation for elementary iodine ≥ 99.0% and organic iodine ≥ 90%) are located within the pressure relief line. To assess the release of radioactive substances, there is a system in unit B for taking atmosphere samples from the reactor containment. Implementation is planned in unit A during the next routine maintenance inspection. A spontaneous loss of integrity of the containment and a release of the associated activity can effectively be avoided by using filtered pressure relief. The fuel element cooling pool is located inside the reactor containment, so that in the case of assumed damages, the measures outlined above to limit the hydrogen and hold back the radioactive substances inside the reactor containment are effective. Additional emergency measures which are primarily focused on the feeding of coolant are also available to ensure heat release and subcriticality within the fuel element cooling pond. Due to the large water volume in the cooling pool, there is a considerable time available to provide for additional water sources. In view of the usable instrumentation and its malfuction-proof availability, detection of any malfunctions due to exceeding the design criteria is also securely guaranteed. Due to the installed standby and alerting services, sufficient staff is available for deployment when necessary. All relevant activities can be carried out in suitably shielded areas, so that one can assume they can be executed even in the event of increased dose rates. The existing emergency procedures can therefore be regarded as being appropriate.

A1-183

Other measures will be considered in the framework of preparing the Severe Accident Management Guideline (SAMG).

A1-184

Annex 1

16

KKB / Brunsbüttel

Brief description of the nuclear power plant The Brunsbüttel nuclear power plant is a product line 69 boiling water reactor constructed by Kraftwerk-Union. It has a thermal reactor output of 2,292 MW and a gross electrical output of 806 MW. Nuclear commissioning took place on 23 June 1976. In the reactor building, outside the containment, the power plant has a fuel pool for the retention and cooling of spent fuel. There is also an interim storage facility on the plant site for the retrievable storage of spent fuel in shipping casks. To control the effects of external and cascading events, the plant has, in a position spatially separated from the reactor building, an independent emergency system (IES), which fulfils all of the safety functions necessary to meet the protection goals and provides an alternative heat sink. The components of the safety system are built in multiples (redundancy) to control postulated accidents. They are structurally, mechanically, and electrically separated from one another in such a way that interactions between them are impossible, thereby fulfilling the principle of prevention of cascading events.

Earthquakes The Brunsbüttel plant is located on the North German Plain, which is described as a tectonically very quiet area. Present day studies have not identified a need for any significant changes as regards the initial design for withstanding the design basis earthquake. Neither the substrata nor other conditions have given cause to make changes to the precautionary measures in place. The design basis earthquake is categorised as I = 5.5 on the MSK scale. All safety-relevant buildings are designed to fully withstand seismic events. A recent assessment as part of the Reactor Safety Commission’s plant-specific safety review has confirmed, moreover, that the plant is highly robust against seismic events, so that the plant has received the benefit of at least one more degree of intensity. An earthquake with an intensity greater than I = VII, at which slight damage to buildings might begin to occur, can be physically ruled out based on the probability of its occurrence. Tipping point effects therefore cannot occur. Safety during external events has been further increased with the recent optimisation of mounting hardware, hangars and supports on steel platforms and other components. Certificates of functional capability, including support stability and integrity, are available for all process-related, electrical, and control components. Accessibility of the plant to personnel and materials is guaranteed at all times.

A1-185

High water The Brunsbüttel NPP is located on the tidal estuary of the Elbe River. Its flood protection consists of the coastal protection dyke (height at the Brunsbüttel NPP: +8.45m NN) and permanent and temporary measures. These measures ensure that the safetyrelevant buildings of the Brunsbüttel NPP are safe from high water levels of up to +6.00m NN. The result of an assessment of the design-basis high water level with an exceedance probability of 10-4/a per the Nuclear Safety Standards Commission safety standard (KTA 2207, “Protection of nuclear power plants against high water”) is a required dyke height of +7.50m NN. Wave run-up had already been taken into account. With a postulated dyke breach under design-basis high water conditions, a maximum water level of +3.39m NN would ensue at the Brunsbüttel NPP site. This figure is slightly higher than the existing ground level of approx. +3.00m NN in the power plant area, but far below the high water design basis of +6.00m NN. With a postulated dyke breach in immediate proximity to the Brunsbüttel NPP, the result under conservative boundary conditions is a surge wave +4.88m NN high, which, however, would not occur across the entire power plant site but would be a locally-limited phenomenon. Even this surge height is below the design-basis high water level of the safety-related buildings (+6.00m NN). The methods for determining the design-basis high water level were chosen according to the requirements of the currently valid KTA 2207 and use conservative assumptions. The flood levels in the event of a postulated dyke breach and the height of the maximum surge wave also were determined by highly conservative methods and reflect the current state of science and technology. Only at or above a water level of > +6.00m NN on the site of the Brunsbüttel NPP after a postulated dyke breach is it no longer possible to rule out an impairment of vital functions. Given the topography of the surrounding area and the time limitation to which tide-influenced maximum water levels are subject, no realistic scenario can be identified in which such a high water level would be reached at the power plant site. There are, therefore, no “tipping point effects” to be postulated in the power plant. All emergency measures per the power plant emergency manual are implementable in the event of design-basis high water conditions. In sum, the plant exhibits a high degree of robustness that goes far beyond designbasis high water conditions and rules out further consequences from “tipping point effects”. Further improvement options or additional precautions that would contribute to robustness are therefore not necessary.

Extreme weather conditions The Brunsbüttel plant was designed to allow for the extreme weather conditions of wind and storm loads, heavy rain, snow loads, ice loads, lightning, extreme temperatures, and low water levels. Because the plant was designed to withstand blast waves, its design also covers wind and storm loads, heavy rain, and snow and ice loads. The outside air temperatures on

A1-186

which the design is based range from -35 °C to +40 °C, which, given the climatic conditions at the site, cannot occur. At or above an Elbe water temperature of 29 °C the plant must be shut down in safe residual heat removal mode. The upper edge of the cooling water intake channels stands at -5.40m NN. At -3.71m NN, the water gauge stood 1.69m above the cooling water intake at the lowest known water level. Lower water levels are not to be expected. Water induction in the reactor building, in the engine house, and at the track entrance gates occurred on 4 September 2011 as a result of heavy rain. Safety systems were not endangered at any time. An investigation of the incident and resulting measures to improve the robustness of the plant are currently still in progress. Cliff edge effects cannot occur in the extreme weather conditions scenario because weather conditions beyond the design basis cannot occur. The Brunsbüttel plant is not affected in any exceptional way by extreme weather conditions particularly by virtue of the large reserve margins resulting from the plant’s blast wave-resistant de-sign.

Loss of power supply When the Brunsbüttel NPP is in normal operation, station service power is supplied from the 380 kV network through a three-winding transformer, which supplies two 10 kV block buses. A second infeed from the standby network (30 kV) for the station service buses is realised through an offsite system transformer. In addition, the 10 kV buses can be supplied through the third network (gas turbine plant). When the plant is in normal operation, the station service buses supply the four emergency power buses (6 kV) of the switch house and the two emergency power buses (0.4 kV) of the independent emergency system (IES). Each emergency power bus is permanently assigned one emergency diesel that starts automatically and supplies the emergency power bus if the station service power supply fails. The IES emergency power buses can be supplied through the third network (gas turbine plant). To control station blackouts, emergency measures are taken according to the emergency manual to ensure that core cooling is maintained (steam-driven injection system [TJ]) along with measures to restore the alternating current supply. The standby network connection to the gas turbine plant is available for long-term control of this type of disturbance, among other things. The IES is available as well, as it is spatially separated and equipped with a diversely designed alternating and direct current power supply. The IES also can ensure long-term compliance with the protection goals in the lowpressure range. Because of the multiple layering of electrical power supply options, there are no identifiable tipping point effects that would result in a plant condition in which all measures are ineffective. The Brunsbüttel NPP exhibits a high degree of redundancy and diversity with its existing design features of a main grid connection, offsite supply connection, station service power supply through a turbine and generator, six spatially redundant and diverse A1-187

emergency diesels, the IES, and emergency measures in the form of a third network supply through a gas turbine plant. It is to be categorised, therefore, as highly robust against power failures.

Loss of the primary heat sink There are two redundant and diverse service water systems available – the service water system (VF) and the IES cooling water system (VE) – each of which uses a different heat sink (the atmosphere or the Elbe). If the VF system fails, the IES is available as a fully adequate replacement for heat removal. The IES has its own emergency power supply and has been retrofitted to control redundancy-defeating failures, as well as a failure of the service water system. It is set up spatial isolation in its own bunkered building, and it is redundant and diverse in terms of structure and type of cooling (air cooling). The IES can remove from the condensate chamber all of the after-heat that ac-cumulates after the reactor is shut down from fullload operation. Per design, therefore, the fuel assembly in the Brunsbüttel NPP is not damaged through the secured auxiliary service water if the primary heat sink fails, so that in this case no further measures are required. In the case of a postulated failure of the IES (alternative heat sink), a series of emergency measures relating to core cooling, residual heat removal, and depressurisation of the containment are available per the emergency manual. A sufficient period of time is available for their realisation, so that damage to the core is avoided. Tipping point effects do not occur. No further required measures for improving the auxiliary service water system have resulted from the nuclear supervising procedure or the periodic safety inspections, as failure of all auxiliary service water systems with the additional failure of the IES and emergency measures is already extremely unlikely. The plant is to be categorised as highly robust as regards failure of the primary heat sink.

Loss of the primary heat sink in the event of a station blackout There are two redundant and diverse service water systems available – the service water system (VF) and the IES cooling water system (VE) – each of which uses a different heat sink (the atmosphere or the Elbe). If there is a failure of the VF system and a “station blackout”, the IES, per design, remains available for heat removal. This demonstrates the robustness of the Brunsbüttel NPP with its redundant and diverse heat sinks. Moreover, a series of diverse emergency measures is specified in the emergency manual for the Brunsbüttel NPP. No further required measures for improving the auxiliary service water system have resulted from the nuclear supervising procedure or the periodic safety inspections, as failure of all auxiliary service water systems and a “sta-

A1-188

tion blackout”, with the additional failure of the IES and the emergency measures, is extremely unlikely. In this case, too, the plant is to be categorised as highly robust as a result of the existing diversities in emergency power supply and the available heat sinks.

Management of serious accidents The objective of the emergency preparedness plan for the Brunsbüttel NPP is to guarantee control of an emergency through organisational and technical measures. When the alarm system is tripped in the event of an emergency, the rules in the emergency manual go into effect in addition to the operating manual. A special crisis organisation remains in operation for the duration of the emergency. The crisis organisation supplements the normal plant organisation during an emergency. In case of need, the crisis organisation can be reinforced by external authorities. The crisis organisation’s operational quarters are located on the nuclear power plant site in the control room, operating, and switchgear buildings. Should these become inaccessible due to destruction or for radiological reasons, alternative quarters exist in the independent emergency sys-tem (IES) building. This ensures that the crisis organisation is fully operational at all times even under less favourable marginal conditions. There are plant support agreements with Areva, Helmholtz Zentrum Geesthacht, and Kerntechnischer Hilfsdienst. In addition, there are cooperative relationships with neighbouring power plants. In an emergency, measures are planned, coordinated, and implemented in close cooperation with the regional nuclear and nuclear supervisory authorities, experts and consultants (Technischer Überwachungsverein (TÜV), Gesellschaft für Anlagen- und Reaktorsicherheit (GRS), Reaktorsicherheitskommission (RSK), etc.), the competent disaster control centres, and public authorities (police, fire brigade, etc.)).

Emergency measures for core cooling, to maintain the integrity of the containment, and to limit the release of reactivity into the environment In the Brunsbüttel NPP operating and emergency manuals, numerous spatially separated, diverse measures are described that are designed to ensure long-term cooling of the fuel pool and sufficient cooling of the core during every phase of a “loss of core cooling function” scenario. The various emergency measures can be implemented also under less favourable marginal conditions and during a failure of the auxiliary service water or emergency power supply.

A1-189

All emergency measures to cool the core or fuel pool are clearly implementable within the available cooling periods, so that full compliance with the protection goals is ensured at all times, even under serious accident conditions. In sum, therefore, the plant has a highly robust design and very well designed emergency measures.

A1-190

Annex 1

17

KKK / Krümmel

Brief description of the nuclear power plant The Krümmel nuclear power plant (Krümmel NPP) is a product line 69 boiling water reactor constructed by Kraftwerk-Union. It has a thermal output of 3,690 MW and a gross electrical output of 1,402 MW. The plant’s nuclear commissioning took place on September 1983 (first criticality on 14 September 1983). The fuel pool is located outside the containment in the reactor building, which is designed to withstand aircraft crashes and blast waves. All of the safety systems necessary to ensure that the nuclear protection goals are fulfilled also are designed to withstand these external events. The components of the safety system are built in multiples (redundancy) to control postulated accidents. They are structurally, mechanically, and electrically separated from one another so that interactions between them are impossible, thereby fulfilling the principle of prevention of cascading events.

Earthquakes The Krümmel nuclear power plant is located on the North German Plain on the Elbe River. This has been identified as a tectonically very quiet area. The plant was designed to withstand the design-basis earthquake according to the terms of the second partial construction permit. Current studies, with the Periodic Safety Review of Nuclear Plants 2008, have reconfirmed the validity of these statements. Additional studies in connection with construction of the on-site interim storage facility also have corroborated these results. All safety-relevant components have therefore been designed to fully withstand the design-basis earthquake with an intensity of I = VI (MSK). A recent assessment for the Reactor Safety Commission’s plant-specific safety review has confirmed, moreover, that the plant is highly robust against seismic events, so that the plant has received the benefit of one more degree of intensity. An earthquake with an intensity greater than I = VII, at which slight damage to buildings might begin to occur, can be physically ruled out based on the probability of its occurrence. Tipping point effects therefore cannot occur. Furthermore, effects that may accompany an earthquake, such as failure of the external power supply or flooding, are fully controlled. Accessibility to personnel and equipment is assured at all times in any earthquake to be expected.

High water The Krümmel plant is situated on the Elbe River. The high water protection is designed for a gauge level of 9.70m NN. The high water protection was reassessed in connecA1-191

tion with the Periodic Safety Review of Nuclear Plants 2008. Among other things, the design-basis high water level was ascertained for the site, in accordance with the KTA 2207 safety standard (“Protection of nuclear power plants against high water”), with an exceedance probability of PÜ = 10-4 / a. The uncertainty analysis produced an upper limit of 9.63 m NN for design-basis high water, with the dykes in the upper reaches of the river and on the side of the river opposite the Krümmel nuclear power plant, which under realistic assumptions would have been breached, being conservatively postulated as intact. The risk of tidal waves is non-existent at the site. High water events therefore are longterm processes that allow sufficient time to set up high water protection measures. Tipping point effects can be ruled out at the site since high water in excess of the 9.70m NN high water protection cannot occur for physical reasons. The high water protection of the buildings in the secured area was found to have potential for improvement through the addition of permanent high water protection measures to the temporary high water protection measures.

Extreme weather conditions The Krümmel plant was designed to allow for the extreme weather conditions of wind and storm loads, heavy rain, snow loads, ice loads, lightning, extreme temperatures as well as low water levels. Because the plant was designed to withstand blast waves, its design also covers wind and storm loads, heavy rain, and snow and ice loads. The outside air temperatures on which the design is based range from -35 °C to +40 °C, which cannot occur given the climatic conditions at the site. The underlying design temperature for the operating cycles and the auxiliary service water trains is 25 °C, but availability of the residual heat removal system has been verified also at 30 °C. The upper edge of the cooling water intake channels stands at +1.65 m NN. Even with a minimum as-sumable level of approx. +2.9 m NN at the cooling water intake, there is still a water overlap of approx. 1.25 m. Cliff edge effects are therefore not a matter of concern.

Loss of power supply Loss of the external power supply results in loss of the main offsite and standby offsite power connections. Furthermore, load rejection to the auxiliary power supply is unsuccessful. The failure of the station service power supply that then sets in (loss of offsite power) was taken into account in the plant’s design. Six electrical redundancies are available, each with an emergency diesel supply. As a result of the high redundancy and the spatial separation of the emergency power supply, cascading failures that might result in a station blackout (prolonged absence of voltage on the 10 kV emergency buses) are practically impossible. To control a station blackout, emergency measures are taken per the emergency manual to ensure that core cooling is maintained (steam-driven injection system [TJ]), as

A1-192

are measures to restore the alternating current supply. In addition, the third power connection is available with a power supply guaranteed by, among other things, the pumped-storage power plant. Because of the multiple layering of electrical power supply options, there are no identifiable tipping point effects that would result in a plant condition in which all measures are ineffective. The Krümmel NPP exhibits a high degree of redundancy and diversity with its existing design features of a main offsite power connection, offsite supply connection, station service power supply through a turbine and generator, six spatially redundant and diverse emergency diesels, and emergency measures in the form of a third network supply through a pumped-storage plant. It is to be categorised, therefore, as highly robust against power failures. Potential for improvement potential beyond the measures already in place is seen with the prospect of 

procuring an additional mobile emergency power generator, to be set up in the area of the power plant switching station,



or further improvements in emergency measures that would for example prolong the dis-charge time of the batteries.

Loss of the primary heat sink The cooling-water supply for the Krümmel NPP is set up, spatially separated, in the form of two circulating water intake structures, each with one cooling water pump house. The Elbe River constitutes the plant’s primary heat sink. Failure of the receiving water (the Elbe) cannot occur because a minimum water level is always present for topographical reasons and the intake structures are built directly on the river bank. Because of the structurally separated design of the circulating water intake structures, a simultaneous failure can be ruled out. Failure of the cooling water discharge canal is not to be postulated because of the large effluent cross section. In a postulated scenario in which the auxiliary service water fails on its own, the network connection remains available. A series of measures for avoiding damage to the fuel elements are then available per the Krümmel NPP operating and emergency manuals. The quantity of water required for core cooling can be covered for more than 24 hours by the water reserves stored at the plant. These reserves can be subsequently supplemented from the Geesthacht drinking water system of from the Elbe by means of mobile pumps. Cliff edge effects do not occur. The periodic safety inspections have revealed no indications of measures needed to increase the safety potential for the auxiliary service water supply.

A1-193

Loss of the primary heat sink in the event of a station blackout Overlapping a failure of the primary heat sink with a station blackout, in contrast to the plant assessment in regard to control of single events, produces no additional findings. Moreover, a series of diverse emergency measures is specified in the Krümmel NPP emergency manual. No additional required measures for improving the auxiliary service water system have resulted from the nuclear supervising procedure or periodic safety inspections.

Management of serious accidents The objective of the emergency preparedness plan for the Krümmel NPP is to guarantee control of an emergency through organisational and technical measures. When the alarm system is triggered in the event of an emergency, the rules in the emergency manual go into effect in addition to the operating manual. A special crisis organisation remains in operation for the duration of the emergency. The crisis organisation supplements the normal plant organisation during an emergency. In case of need, the crisis organisation can be reinforced by external authorities. The crisis organisation’s operational quarters are located on the nuclear power plant site. Should they become inaccessible through destruction or for radiological reasons, alternative quarters exist in the Geesthacht pumped-storage power plant. This ensures that the crisis organisation is fully operational at all times even under less favourable marginal conditions. There are plant support agreements with Areva, Helmholtz Zentrum Geesthacht, and Kerntechnischer Hilfsdienst. In addition, there are cooperative relationships with neighbouring power plants. In an emergency, measures are planned, coordinated, and implemented in close cooperation with the regional nuclear and nuclear supervisory authorities, experts and consultants (Technischer Überwachungsverein (TÜV), Gesellschaft für Anlagen- und Reaktorsicherheit (GRS), Reaktorsicherheitskommission (RSK), etc.), the competent disaster control centres, and public authorities (police, fire brigade, etc.)).

Emergency measures for core cooling, to maintain the integrity of the containment, and to limit the release of reactivity into the environment In the Krümmel NPP operating and emergency manuals, numerous spatially separated, diverse measures are described that are designed to ensure long-term cooling of the fuel pool and sufficient cooling of the core during every phase of a “loss of core cooling function” scenario.

A1-194

The various emergency measures can be implemented also under less favourable marginal conditions and during a failure of the auxiliary service water or emergency power supply. All emergency measures to cool the core or fuel pool are clearly implementable within the available cooling periods, so that full compliance with the protection goals is ensured at all times, even under serious accident conditions. In sum the plant has a highly robust design and very well-designed emergency measures.

A1-195